Pete Recommends – Weekly highlights on cyber security issues, March 6, 2021

Subject: NSA Releases Guidance on Zero Trust Security Model
Source: CISA

The National Security Agency (NSA) has released Cybersecurity Information Sheet: Embracing a Zero Trust Security Model, which provides information about, and recommendations for, implementing Zero Trust within networks. The Zero Trust security model is a coordinated system management strategy that assumes breaches are inevitable or have already occurred.CISA encourages administrators and organizations review NSA’s guidance on Embracing a Zero Trust Security Model to help secure sensitive data, systems, and services.

Subject: Local Mother Recounts Terrifying Kidnapping Scam That Spoofed Her Daughter’s Cell Phone Number
Source: CBS Pittsburgh

The woman said it seemed so real because when she got the call on her cell phone, it came up as her daughter’s number.

“He tells me he has my daughter and her name and her husband and says his name and that he has them at gunpoint and I need to listen to him and not hang up the phone and do what he says or he will kill them,” the mother said.

His only demand was to send $1,500 to a Gmail account.

“He said you need to send it through Zelle. Go online and figure out how to open an account now, do it quickly or my daughter was going to die,” she said.

Officials at the FBI’s Pittsburgh Field Office told KDKA they’ve heard of virtual kidnapping and spoofing happening. The FBI believes most virtual kidnappings for ransom remain unreported and they do not keep statistics on that.

The woman called the FCC and her bank. She also filed a report with the FBI and local police.

Subject: You Can’t Launder Bitcoins!
Source: Forbes

Dollars Are Fungible, Bitcoins Are Not.As you’ll be aware from the plethora of stories about Bitcoin using more electricity than most countries, Bitcoin “mining” means throwing massive amounts of computer power at a mathematical puzzle, and the first computer to solve the puzzle finds the new bitcoins. Not everyone gets into Bitcoin mining just for the money though. The operator of a Bitcoin mining pool (a group of miners who work together to share the profits) quoted in CoinDesk says that some are investing for other reasons “such as to avoid capital controls or avoid sanctions”.

Some people mine Bitcoin for profits but some some people mine it for politics. The Foundation for Defense of Democracies (FDD), a Washington think tank, summarised the emerging situation rather well in their position paper “Crypto Rogues“. They noted that “blockchain technology may be the innovation that enables U.S. adversaries for the first time to operate entire economies outside the U.S.-led financial system”. Now, while this may be technically slightly inaccurate (there are ways to create anonymous transactions without a blockchain and, indeed, the Swiss central bank has just published a working paper describing how to do so) it again flags up that the widespread availability of decentralised financial services threatens to bypass the existing infrastructure.

Subject: Accidental Wiretaps: The Implications of False Positives By Always-Listening Devices For Privacy Law & Policy
Source: SSRN via beSpacific

Barrett, Lindsey and Liccardi, Ilaria, Accidental Wiretaps: The Implications of False Positives By Always-Listening Devices For Privacy Law & Policy (February 8, 2021). Available at SSRN:
“Always-listening devices like smart speakers, smartphones, and other voice-activated technologies create enough privacy problems when working correctly. But these devices can also misinterpret what they hear, and thus accidentally record their surroundings without the consent of those they record, a phenomenon known as a ‘false positive.’ The privacy practices of device users add another complication: a recent study of individual privacy expectations regarding false positives by voice assistants depicts how people tend to carefully consider the privacy preferences of those closest to them when deciding whether to subject them to the risk of accidental recording, but often disregard the preferences of others. The failure of device owners to get consent from those around them is exacerbated by the accidental recordings, as it means that the companies collecting the recordings aren’t obtaining the consent to record their subjects that the Federal Wiretap Act, state wiretapping laws, and consumer protection laws require, as well as contravening the stringent privacy assurances that these companies generally provide….

Subject: Mental Health Apps and User Privacy
Source: Consumer Reports

  • HIPAA, the federal health data law, doesn’t apply to all the information collected by the apps.
  • CR’s testers observed apps sharing unique IDs, specific to a particular smartphone, with several companies, including Facebook.
  • Privacy policies don’t always make it clear what kind of data could be shared, and how it could be used.

Mental health apps take a number of approaches to providing help. Some connect you with licensed therapists over video. Conversations with therapists are typically covered by the same state and federal health privacy rules that apply to in-person therapy or to any doctor’s appointment.

But the same apps or similar-sounding ones may provide guided meditations, mood-tracking diaries, therapy chatbots, and cognitive behavioral therapy exercises. Along the way, you might be asked to complete a questionnaire on your mental health symptoms.

The data you provide as you use those features might not necessarily be treated as confidential by the app developers, or by the law.

Using specially programed Android phones, we watched which outside companies received data from the apps as we used them, and checked to determine whether privacy settings were on or off by default. We also analyzed how well the apps’ privacy policies matched what we observed. We worked on that technical analysis with AppCensus, a privacy research company that has collaborated with Consumer Reports on other investigations, and we’ve posted a detailed test report (PDF).

In general, these mental health services acted like many other apps you might download. For instance, we spotted apps sharing unique IDs associated with individual smartphones that tech companies often use to track what people do across lots of apps. The information can be combined with other data for targeted advertising. Many apps do that, but should mental health apps act the same way? At a minimum, Consumer Reports’ privacy experts think, users should be given a clearer explanation of what’s going on.

An interesting exception was 7 Cups—its privacy policy says the company shares data with third parties, but we didn’t observe that happening during our tests. This highlights the fact that a lot of data collection and trading takes place between company computer systems. Consumer Reports’ testing reveals what information leaves directly from your smartphone, and where it goes. However, no test can capture what companies do with your data or who they share it with after they receive it. This is why both CR and consumers need to rely on privacy policies and other company documents.

Subject: NSA Pushes Zero Trust Principles to Help Prevent Sophisticated Hacks
Source: Nextgov

The National Security Agency is working with National Security Systems and Defense Department programs to pilot the implementation of Zero Trust principles and will provide more guidance in the coming months, according to a document the agency released last week.While traditional security architectures focus on protecting the perimeter of an enterprise, a Zero Trust approach assumes the threat is already inside the network and emphasizes continuously monitoring who has access to high-value data at every step and stopping them from capturing it.

The guide NSA released Feb. 25 provides examples of how implementing Zero Trust could have foiled some of the approaches hackers used to compromise at least nine federal agencies and a hundred companies in an attack that leveraged network management company SolarWinds in combination with other avenues. The perpetrators’ focus on avoiding detection portends greater use of such tactics in the future and makes Zero Trust all the more important, NSA said.


Subject: SSA Inspector General: New Tactics for Government Imposters
Source: Office of the Inspector General, SSA

FOR IMMEDIATE RELEASE March 2, 2021 – The Inspector General for the Social Security Administration (SSA), Gail S. Ennis, is alerting the public about a new tactic in government imposter phone scams to deceive people into sending money or personal information. The Office of the Inspector General (OIG) has received reports of phone scammers creating fake versions of the identification badges most Federal employees use to gain access to Federal buildings. The badges use government symbols, words, and even names and photos of real people, which are available on government websites or through Internet searches. The scammers may text or email photos of the fake badges to convince potential victims of their legitimacy.

Government imposter scams, most often involving Social Security number-related issues, are widespread across the United States, and scammers’ tactics are sophisticated and constantly evolving. To help the public learn how to identify – and avoid – these scams, Inspector General Ennis has designated Thursday, March 4, 2021 as National “Slam the Scam” Day, in coordination with National Consumer Protection Week

Subject: NIST Planning Workshop to Comply with Law on Federal IoT Procurement
Source: Nextgov

The IoT Cybersecurity Improvement Act of 2020 passed in December with the provision that NIST publish standards and guidelines—within 90 days— for federal agencies’ appropriate use of devices that make up the internet of things. The law generally prohibits agencies from procuring devices that don’t meet the standards and guidelines, which are to be laid out in policy by the Office of Management and Budget.NIST published a core baseline of IoT cybersecurity capabilities back in May and in December issued drafts of a number of complementary documents, including nontechnical baselines on issues like vulnerability reporting and contract management; a profile for federal agencies incorporating the technical and nontechnical baselines; and the overarching Special Publication 800-213, “IoT Device Cybersecurity Guidance for the Federal Government,” which includes a catalog agencies can use when they are purchasing IoT devices to go beyond the lowest requirements.

Briefing NIST’s Information Security and Privacy Advisory Board on the issue Thursday, Megas said reactions to NIST’s work toward meeting its statutory obligation include concerns that the baseline can’t be applied to certain devices which should therefore be exempt, and that NIST’s approach would result in splintered federal requirements.


Subject: You got a vaccine. Walgreens got your data.
Source: Vox via beSpacific

Vox – Retail pharmacies are now giving out Covid-19 vaccines, and some of them are using it as an opportunity to profit off your information. “… If you schedule a Covid-19 vaccine appointment with major pharmacy chains such as Walgreens or CVS, your data may be used to bulk up those companies’ own significant marketing apparatuses, giving them a source of income even beyond what they’re paid for administering the vaccines and whatever you might decide to buy while you’re in the store to get one. In some cases, you’re forced to make an account with the store to get a vaccine at all, and deactivating your mandatory account after the fact isn’t easy…When you go to the Walgreens vaccine scheduler, you can find out if there are vaccines available in your area, but you can’t see where and when appointments are available — let alone schedule one — without first making a Walgreens account. And that means giving Walgreens the information it considers necessary to make that account, including your name, date of birth, phone number, address, gender (male or female are the only options), and email address. You’re also automatically signing up to receive marketing emails, which you can only opt out of later through your account settings. Oh, and you’re encouraged to join the myWalgreens loyalty program, which gives Walgreens even more data about your purchases and automatically signs you up for even more marketing emails…Walgreens, for instance, will use your data to target ads to you on its website, on social media, and in marketing emails — as detailed in Walgreens’ own privacy policy
Posted in: Business Research, Computer Security, Cybercrime, Cybersecurity, Economy, Financial System, Healthcare, Privacy, Social Media