Pete Recommends – Weekly highlights on cyber security issues, February 6, 2021

Subject: 30% of ‘SolarWinds’ Victims Did Not Actually Use SolarWinds Software, Feds Say
Source: Gizmodo

Indeed, the cybersecurity scandal—which has proved to be the biggest in U.S. history—unfortunately became known as “SolarWinds” after hackers used trojanized malware to infiltrate the company and its clients by way of its popular Orion software, an IT management program commonly used by government agencies.

But, as has been previously reported, the hackers appear to have leveraged a multitude of strategies to worm their way into U.S. entities—not just by hacking into Orion. This has included exploiting improperly secured administrative credentials, password spraying, and even, apparently, just guessing passwords. They also compromised other companies independent of the SolarWinds supply chain, such as Microsoft, FireEye and Malwarebytes, and also seem to have used Microsoft’s cloud-based Office software to access certain government agencies.

Indeed, investigators are still untangling the path of the hackers and the route they took as they wended their way into a vital U.S. supply chain. The Wall Street Journal reports:

However, some private firms have been more cautious with attribution. Benjamin Reed, the director of threat intelligence at FireEye (which was also hacked by the same actor) recently said he had “not seen enough evidence” to determine whether the actor came from Russia, though he called it “plausible.” Russia has denied responsibility.


Subject: Police in Almost All U.S. States Use Amazon’s Ring Program
Source: Gizmodo

If you have an Amazon Ring smart doorbell, there’s something you should know. A growing number of fire and police departments are interested in your doorbell—or to be frank, in its camera footage—especially if they feel it can help them in their investigations. In fact, there are now 2,014 departments in the program from every U.S. state except Montana and Wyoming.According to a recent report in the Financial Times, the number of departments in Amazon’s Ring program has more than doubled last year, when the company added 1,189 departments. The program allows law enforcement officials to contact Ring users in a certain area and ask them to provide footage from their cameras that might be relevant to local investigations.

Ring’s Neighbors App Had Flaw That Revealed Users’ Home Addresses

Ring, the Amazon-owned friend to nosy police departments everywhere, has suffered another…

Police don’t need a warrant to request the videos, and owners can decline to provide their Ring’s footage. Nonetheless, the scenario changes when subpoenas, court orders, and search warrants are involved, per the Times, because Amazon can be forced to comply with these legal requests and provide footage and “identifying data” even if the owner of the doorbell has denied access.

While Ring has maintained that its program gives law enforcement more resources to solve crimes, critics accuse it of building a “for-profit private surveillance network.” Meanwhile, legal experts and privacy advocates worry that the network and the program could threaten civil liberties and turn Ring users into police informants. It could also make innocent people undergo unnecessary surveillance.

[where’s Face Recognition when you need it? /pmw1]

Subject: Here’s a Way to Learn if Facial Recognition Systems Used Your Photos
Source: NYT via beSpacific

The New York Times – “An online tool targets only a small slice of what’s out there, but may open some eyes to how widely artificial intelligence research fed on personal images. When tech companies created the facial recognition systems that are rapidly remaking government surveillance and chipping away at personal privacy, they may have received help from an unexpected source: your face. Companies, universities and government labs have used millions of images collected from a hodgepodge of online sources to develop the technology. Now, researchers have built an online tool, Exposing.AI, that lets people search many of these image collections for their old photos. The tool, which matches images from the Flickr online photo-sharing service, offers a window onto the vast amounts of data needed to build a wide variety of A.I technologies, from facial recognition to online “chatbots.”…

Subject: Russian hack brings changes, uncertainty to U.S. court system
Source: AP via Yahoo

PHILADELPHIA (AP) — Trial lawyer Robert Fisher is handling one of America’s most prominent counterintelligence cases, defending an MIT scientist charged with secretly helping China. But how he’ll handle the logistics of the case could feel old school: Under new court rules, he’ll have to print out any highly sensitive documents and hand-deliver them to the courthouse.Until recently, even the most secretive material — about wiretaps, witnesses and national security concerns – could be filed electronically. But that changed after the massive Russian hacking campaign that breached the U.S. court system’s electronic case files and those of scores of other federal agencies and private companies.

The new rules for filing sensitive documents are one of the clearest ways the hack has affected the court system. But the full impact remains unknown. Hackers probably gained access to the vast trove of confidential information hidden in sealed documents, including trade secrets, espionage targets, whistleblower reports and arrest warrants. It could take years to learn what information was obtained and what hackers are doing with it.

Subject: TSA, Delta test biometric check-in for domestic flights
Source: GCN

The Transportation Security Administration is working with Delta Airlines and the Detroit Metropolitan Wayne County Airport to test a biometric system that verifies a domestic passenger’s digital identity at TSA PreCheck’s checkpoints with customer’s passport number, TSA PreCheck membership and a live photo.The service compares a live image taken at the checkpoint to photos that the passenger previously provided to the government on a passport or visa application. Earlier pilots compared the photos on identity documents passengers were carrying directly against the information provided to TSA.

Only CBP Global Entry passengers and TSA PreCheck passengers who have a U.S. passport can participate in the pilot. During Delta’s mobile app check-in process, eligible passengers will be notified that they can participate.

Subject: U.S. technology company Clearview AI violated Canadian privacy law: report
Source: CBC News

A report by four Canadian privacy commissioners has found Clearview AI’s technology created a significant risk to individuals by allowing law enforcement and companies to match photos against its database of more than three billion images, including Canadians and children. Clearview AI’s software collects images from the internet and allows users to search for matches.

Four Canadian privacy commissioners are calling on governments to beef up federal and provincial privacy laws after they found American technology firm Clearview AI violated Canadian privacy laws by collecting photos of Canadians without their knowledge or consent.

The report found that Clearview’s technology created a significant risk to individuals by allowing law enforcement and companies to match photos against its database of more than three billion images, including Canadians and children.

“What Clearview does, is mass surveillance and it is illegal,” federal privacy commissioner Daniel Therrien told reporters Wednesday. “It is an affront to individuals’ privacy rights and inflicts broad based harm on all members of society who find themselves continually in a police lineup.”

“This is completely unacceptable.”

McEvoy said the case also highlights the need to strengthen privacy laws in Canada.

The investigation found that Clearview collected images in Canada and actively marketed its services to Canadian police forces. The RCMP paid for its services, and there were 48 accounts created for law enforcement agencies and other organizations across Canada.

In a separate investigation, the federal privacy commissioner’s office is probing the way the RCMP used Clearview’s technology.

While the company is no longer allowing its technology to be used in Canada. Therrien said it has refused to delete the photos of Canadians in its database. While it allows individuals to apply to them to be deleted, it requires them to send a photo, he said.

Subject: Tips to Improve Cyber Security and Website Security
Source: Cheap SSL Shop via beSpacific

So far being secure is something which involves setting up an alarm, trusting no stangers and locking doors. But now everything is digitalized. People aren’t using appliances or devices the same way it is used to be. From purchase to transaction everything has turned to be online.Yes, the impact of the digital world seems to be immense. And the same is followed when it comes to crime. As people have started to make use of technologies, criminals also use the same mode to approach people. Yes, from the big sharks to the owners of small and medium-sized businesses everyone is threatened by cybercriminals. So never be lazy to take precautionary steps or measures. In this post let us see how to ensure cyber security and improve website security.

Subject: Tough to Get Help Opting Out of Data Sharing
Source: Consumer Reports

A CR study reveals progress, along with problems, when Calif. consumers use “authorized agents” to stop their data from being sold. A new Consumer Reports study found that there are big barriers to overcome before new services can start helping California residents opt out of data sharing under the California Consumer Privacy Act, a landmark law that went into effect Jan. 1, 2020.

The CCPA gives Californians several new rights over the information that private companies collect and store. Under the state law, consumers can tell companies to stop selling their personal information, to supply the consumer with a copy of the information, or to delete it altogether. The law also says that residents can ask a third party, or “authorized agent,” to help them exercise those rights by contacting data-holding companies on their behalf.

That’s the aspect of the CCPA that CR’s new study explores. The authorized agent provision is supposed to address a hurdle consumers face if they want to flex their rights to limit the way personal information is collected and used: Hundreds of companies may hold data about you, and it would be almost impossible for an individual to find and contact every company one by one.

Subject: FDA names 1st medical device cybersecurity director
Source: Becker’s Health IT

The FDA appointed University of Michigan computer science researcher Kevin Fu to serve as the agency’s first acting director of medical device cybersecurity, according to a Feb. 2 news release.The newly created position lasts for one year and began Jan. 1. Mr. Fu will oversee cybersecurity safety and effectiveness of medical devices, including pacemakers, insulin pumps, hospital imaging machines and other electronic devices.

He will retain his position at the Ann Arbor, Mich.-based university while serving at the FDA.

More articles on cybersecurity:
The new wave of hacking attempts hitting hospitals: 6 things to know
6 vulnerability points hackers target in hospital cyberattacks
Bethesda Hospital employee fired for alleged EHR snooping, altering patient health order 

Subject: NCIJTF Releases Ransomware Factsheet
Source: CISA

The National Cyber Investigative Joint Task Force (NCIJTF) has released a joint-sealed ransomware factsheet to address current ransomware threats and provide information on prevention and mitigation techniques. The Ransomware Factsheet was developed by an interagency group of subject matter experts from more than 15 government agencies to increase awareness of the ransomware threats to police and fire departments; state, local, tribal, and territorial governments; and critical infrastructure entities.
Posted in: AI, Computer Security, Courts & Technology, Cybercrime, Cybersecurity, Government Resources, Legal Research, Legislative, Privacy