Subject: NSA Releases Guidance on Zero Trust Security Model
The National Security Agency (NSA) has released Cybersecurity Information Sheet: Embracing a Zero Trust Security Model, which provides information about, and recommendations for, implementing Zero Trust within networks. The Zero Trust security model is a coordinated system management strategy that assumes breaches are inevitable or have already occurred.CISA encourages administrators and organizations review NSA’s guidance on Embracing a Zero Trust Security Model to help secure sensitive data, systems, and services.
Subject: Local Mother Recounts Terrifying Kidnapping Scam That Spoofed Her Daughter’s Cell Phone Number
Source: CBS Pittsburgh
The woman said it seemed so real because when she got the call on her cell phone, it came up as her daughter’s number.
“He tells me he has my daughter and her name and her husband and says his name and that he has them at gunpoint and I need to listen to him and not hang up the phone and do what he says or he will kill them,” the mother said.
His only demand was to send $1,500 to a Gmail account.
“He said you need to send it through Zelle. Go online and figure out how to open an account now, do it quickly or my daughter was going to die,” she said.
Officials at the FBI’s Pittsburgh Field Office told KDKA they’ve heard of virtual kidnapping and spoofing happening. The FBI believes most virtual kidnappings for ransom remain unreported and they do not keep statistics on that.
The woman called the FCC and her bank. She also filed a report with the FBI and local police.
Subject: You Can’t Launder Bitcoins!
Dollars Are Fungible, Bitcoins Are Not.As you’ll be aware from the plethora of stories about Bitcoin using more electricity than most countries, Bitcoin “mining” means throwing massive amounts of computer power at a mathematical puzzle, and the first computer to solve the puzzle finds the new bitcoins. Not everyone gets into Bitcoin mining just for the money though. The operator of a Bitcoin mining pool (a group of miners who work together to share the profits) quoted in CoinDesk says that some are investing for other reasons “such as to avoid capital controls or avoid sanctions”.
Some people mine Bitcoin for profits but some some people mine it for politics. The Foundation for Defense of Democracies (FDD), a Washington think tank, summarised the emerging situation rather well in their position paper “Crypto Rogues“. They noted that “blockchain technology may be the innovation that enables U.S. adversaries for the first time to operate entire economies outside the U.S.-led financial system”. Now, while this may be technically slightly inaccurate (there are ways to create anonymous transactions without a blockchain and, indeed, the Swiss central bank has just published a working paper describing how to do so) it again flags up that the widespread availability of decentralised financial services threatens to bypass the existing infrastructure.
Subject: Accidental Wiretaps: The Implications of False Positives By Always-Listening Devices For Privacy Law & Policy
Source: SSRN via beSpacific
Subject: Mental Health Apps and User Privacy
Source: Consumer Reports
- HIPAA, the federal health data law, doesn’t apply to all the information collected by the apps.
- CR’s testers observed apps sharing unique IDs, specific to a particular smartphone, with several companies, including Facebook.
- Privacy policies don’t always make it clear what kind of data could be shared, and how it could be used.
Mental health apps take a number of approaches to providing help. Some connect you with licensed therapists over video. Conversations with therapists are typically covered by the same state and federal health privacy rules that apply to in-person therapy or to any doctor’s appointment.But the same apps or similar-sounding ones may provide guided meditations, mood-tracking diaries, therapy chatbots, and cognitive behavioral therapy exercises. Along the way, you might be asked to complete a questionnaire on your mental health symptoms.
The data you provide as you use those features might not necessarily be treated as confidential by the app developers, or by the law.
Using specially programed Android phones, we watched which outside companies received data from the apps as we used them, and checked to determine whether privacy settings were on or off by default. We also analyzed how well the apps’ privacy policies matched what we observed. We worked on that technical analysis with AppCensus, a privacy research company that has collaborated with Consumer Reports on other investigations, and we’ve posted a detailed test report (PDF).
In general, these mental health services acted like many other apps you might download. For instance, we spotted apps sharing unique IDs associated with individual smartphones that tech companies often use to track what people do across lots of apps. The information can be combined with other data for targeted advertising. Many apps do that, but should mental health apps act the same way? At a minimum, Consumer Reports’ privacy experts think, users should be given a clearer explanation of what’s going on.
Subject: NSA Pushes Zero Trust Principles to Help Prevent Sophisticated Hacks
The National Security Agency is working with National Security Systems and Defense Department programs to pilot the implementation of Zero Trust principles and will provide more guidance in the coming months, according to a document the agency released last week.While traditional security architectures focus on protecting the perimeter of an enterprise, a Zero Trust approach assumes the threat is already inside the network and emphasizes continuously monitoring who has access to high-value data at every step and stopping them from capturing it.
The guide NSA released Feb. 25 provides examples of how implementing Zero Trust could have foiled some of the approaches hackers used to compromise at least nine federal agencies and a hundred companies in an attack that leveraged network management company SolarWinds in combination with other avenues. The perpetrators’ focus on avoiding detection portends greater use of such tactics in the future and makes Zero Trust all the more important, NSA said.
Subject: SSA Inspector General: New Tactics for Government Imposters
Source: Office of the Inspector General, SSA
Government imposter scams, most often involving Social Security number-related issues, are widespread across the United States, and scammers’ tactics are sophisticated and constantly evolving. To help the public learn how to identify – and avoid – these scams, Inspector General Ennis has designated Thursday, March 4, 2021 as National “Slam the Scam” Day, in coordination with National Consumer Protection Week
Subject: NIST Planning Workshop to Comply with Law on Federal IoT Procurement
The IoT Cybersecurity Improvement Act of 2020 passed in December with the provision that NIST publish standards and guidelines—within 90 days— for federal agencies’ appropriate use of devices that make up the internet of things. The law generally prohibits agencies from procuring devices that don’t meet the standards and guidelines, which are to be laid out in policy by the Office of Management and Budget.NIST published a core baseline of IoT cybersecurity capabilities back in May and in December issued drafts of a number of complementary documents, including nontechnical baselines on issues like vulnerability reporting and contract management; a profile for federal agencies incorporating the technical and nontechnical baselines; and the overarching Special Publication 800-213, “IoT Device Cybersecurity Guidance for the Federal Government,” which includes a catalog agencies can use when they are purchasing IoT devices to go beyond the lowest requirements.
Briefing NIST’s Information Security and Privacy Advisory Board on the issue Thursday, Megas said reactions to NIST’s work toward meeting its statutory obligation include concerns that the baseline can’t be applied to certain devices which should therefore be exempt, and that NIST’s approach would result in splintered federal requirements.
Subject: You got a vaccine. Walgreens got your data.
Source: Vox via beSpacific