Pete Recommends – Weekly highlights on cyber security issues, May 16, 2021

Subject: What’s Google Floc? And How Does It Affect Your Privacy?
Source: WIRED

Google wants to change the way we’re tracked around the web, and given the widespread use of its Chrome browser, the shift could have significant security and privacy implications—but the idea has been less well-received by companies that aren’t Google.The technology in question is FLoC, or Federated Learning of Cohorts, to give it its full and rather confusing name. It aims to give advertisers a way of targeting ads without exposing details on individual users, and it does this by grouping people with similar interests together: Football fans, truck drivers, retired travelers, or whatever it is.

“We started with the idea that groups of people with common interests could replace individual identifiers,” writes Google’s Chetna Bindra. “This approach effectively hides individuals ‘in the crowd’ and uses on-device processing to keep a person’s web history private on the browser.”

These groups (or “cohorts”) are generated through algorithms (that’s the “federated learning” bit), and you’ll get put in a different one each week—advertisers will only be able to see its ID. Any cohorts that are too small will get grouped together until they have a least several thousand users in them, to make it harder to identify individual users.

FLoC is based on the idea of a Privacy Sandbox, a Google-led initiative for websites to request certain bits of information about users without overstepping the mark. Besides FLoC, the Privacy Sandbox covers other technologies too: For preventing ad fraud, for helping website developers analyze their incoming traffic, for measuring advertising effectiveness, and so on.


Subject: New Stealthy Rootkit Infiltrated Networks of High-Profile Organizations
Source: Risks Digest – The Hacker News – geoff goodfellow

An unknown threat actor with the capabilities to evolve and tailor its toolset to target environments infiltrated high-profile organizations in Asia and Africa with an evasive Windows rootkit since at least 2018. Called ‘Moriya,’ the malware is a “passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them,” said Kaspersky researchers Mark Lechtik and Giampaolo Dedola in a Thursday deep-dive. The Russian cybersecurity firm termed the ongoing espionage campaign ‘TunnelSnake <>.’ Based on telemetry analysis, less than 10 victims around the world have been targeted to date, with the most prominent targets being two large diplomatic entities in Southeast Asia and Africa. All the other victims were located in South Asia. …

Subject: Colonial Pipeline: Biden administration scrambles to respond to cyberattack on critical pipeline
Source: CNNPolitics

“This weekend’s events put the spotlight on the fact that our nation’s critical infrastructure is largely owned and operated by private sector companies,” said Elizabeth Sherwood-Randall, the White House homeland security adviser. “When those companies are attacked, they serve as the first line of defense and we depend on the effectiveness of their defenses.”
Anne Neuberger, the top official responsible for cybersecurity on the National Security Council, said Colonial Pipeline had not asked for “cyber-support” from the federal government but that federal officials were ready and “standing by” to provide assistance if asked.
Still, the broader issue of security gaps in the nation’s critical systems — components of which are decades old and are privately owned — remains a serious question for the White House, which is finalizing an executive order meant to better respond to cyberattacks.

Subject: Energy Department Leading White House Interagency Response to Pipeline Attack
Source: Nextgov

The hack highlights jurisdictional issues on pipeline cybersecurity. The White House has formed an interagency task force in response to a cyberattack on Colonial Pipeline Company with the Energy Department at the helm, according to administration officials.

“The White House convened an interagency team that included the Department of Energy, which is the lead agency for incident response in this case, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, the FBI, the Department of Transportation Safety and Hazardous Materials Safety Administration, the Department of the Treasury, the Department of Defense and other agencies,” Deputy National Security Advisor Liz Sherwood-Randall said during a press briefing on the event Monday. Not specifically listed in that group was DHS’s Transportation Security Administration, which has oversight over pipeline cybersecurity. In May 2019, the Government Accountability Office issued a scathing report of the TSA’s performance in that role, noting among other things that there were only six staffers assigned to the area. And there has been a longstanding bipartisan effort from within the Federal Energy Regulatory Commission and in Congress to turn responsibility for pipeline cybersecurity over to Energy.

The attack on the Colonial’s 5,500 miles of pipelines, attributed by the FBI to a criminal ransomware group called Darkside, threatens to disrupt the flow of almost half the East Coast’s energy supply. Randall said there isn’t currently an energy supply issue, but that the admin is working on contingency plans if shortages develop.Perpetrators of ransomware deploy malware to encrypt an entity’s data until they receive a payment. In recent attacks of this variant, hackers have also threatened to publicly release sensitive data so that even if a company has backup files—like they’re supposed to—they’re still motivated to pay. However, the FBI discourages victims from paying as it has the potential to incentivize more attacks….


Subject: Complete guide to selecting a HIPAA compliant email service
Source: ProtonMail

This article is part of a series discussing various aspects of HIPAA compliance. ProtonMail is the world’s largest secure email provider, used by millions to protect their messages. We provide HIPAA compliant email to thousands of organizations, and we created this guide to explain how to select the best HIPAA compliant email provider for your organization.Read our past articles about HIPAA

Subject: AI Security Risk Assessment Tool
Source: Schneier on Security

Microsoft researchers just released an open-source automation tool for security testing AI systems: “Counterfit.” Details on their blog.Tags:

artificial intelligence
machine learning
risk assessment

Subject: PrivacyBot
Source: Berkeley MIMS Final Project via beSpacific

Berkeley MIMS Final Project 2021 – “PrivacyBot is a free and open-source way to delete your data from an exhaustive list of data brokers and people search sites. The largest statewide privacy law change in a generation, the California Consumer Privacy Act (CCPA) went into effect in January 2020. However, exercising these privacy rights is a tricky business even for privacy experts. A survey we conducted within a few privacy-related subreddits showed that tracking down data brokers is “a huge pain in the [neck]”.We introduce “PrivacyBot”, a simple way to start exercising your privacy rights. Our deliverables include:

  • A fully open-source local-only system that automatically routes data delete requests to data brokers and people search sites
  • User experience research reports about current CCPA processes and feedback
  • Shareable insights and data visualizations about the request process…”

Subject: Take the 7-Day Privacy Challenge
Source: Consumer Reports

There’s an entire industry—even more than one—built on turning your life into marketable data.The things you buy, the people you connect with over social media, the places you go, your political and religious affiliations, your likes and dislikes. For almost every corner of your life, there’s a company trying to keep tabs on you, and mining that information for insights that can be used to sell you things, target you with political ads, manipulate your behavior, and build new products.

That’s why we put together the 7-Day Privacy Challenge.

Subject: Senate Cyber Hawk Calls for ‘Criminal Penalties’ for Negligent CEOs
Source: Gizmodo

Sen. Ron Wyden, historically a leading proponent of heightened cybersecurity governance in both public and private spheres, called for congressional action Wednesday around all private firms operating in critical infrastructure sectors, saying the recent network breach at one of the largest U.S. pipelines paints a dismal picture of the nation’s susceptibility to attack.The cyber intrusion detected at Colonial Pipeline Co. over the weekend forced the shutdown of a vital pipeline stretching from Houston to New Jersey, which typically ferries more than 2.5 million barrels of fuel per day. On Sunday, The FBI confirmed the breach involved a criminal ransomware gang known as DarkSide, which cybersecurity experts have linked to Russia, though not directly to the Kremlin. The group itself issued a statement on Monday claiming the breach was financially and not politically motivated, and that it intends to work toward “avoid[ing] social consequences in the future.”

In a statement to Gizmodo, Wyden, chair of the Senate Finance Committee, said the attack underscores a “massive problem” at companies running the country’s critical infrastructure, saying “dangerously negligent cybersecurity” portends more crippling attacks in the future. Failures at the highest corporate levels pose a significant threat to national security, he said, adding that Congress should immediately force critical infrastructure companies to institute heightened security safeguards.

Wyden added: “Any company so vital to our economy that a cyberattack can disrupt the lives of millions of Americans, should be regularly audited by the government so that our adversaries are not the first ones to discover cybersecurity weaknesses.”

The Oregon senator’s focus on the culpability of corporate officers is hardly out of left field. Wyden has previously introduced and sponsored several bills concerning data security seeking tough penalties for corporate malpractice, including, in the case of Silicon Valley, prison time for executives who mislead regulatory bodies about their data handling practices.

Subject: Report: What City Officials Need to Know About Facial Recognition Technology
Source: Route Fifty

How local governments are regulating facial recognition systems, as well as their benefits and challenges, are addressed in a report by the National League of Cities.Facial recognition is used by companies, law enforcement and government agencies to capture people’s images by video and photo to help identify an unknown person. A recent report by the National League of Cities addresses issues surrounding facial recognition and governments’ ability to balance transparency with effectiveness and efficiency.

The report comes as cities grapple with the challenges and benefits of facial recognition policies. Some cities and counties have banned facial recognition technology and some are putting the technology up for a vote.

Other local governments have limited the scope and size of their facial recognition technology use. Those cities include New York, Seattle, Detroit, Nashville and Pittsburgh among others. Meanwhile, New Orleans, San Francisco, Boston, Oakland, California, and Portland, Oregon, are cities that have banned the use of the technology.

Two more suggestions: Cities should develop rigorous standards for the storage of facial recognition data, as well as implement effective cybersecurity to ensure the biometric data is fully protected. Lastly, the NLC advises that managers of facial recognition systems follow best practices for drafting contracts to reduce legal risk and certify the accuracy of their algorithms.
To get more information from the NLC about facial recognition click here [PDF].


Subject: Pentagon Surveilling Americans Without a Warrant, Senator Reveals
Source: Motherboard via beSpacific

“The Pentagon is carrying out warrantless surveillance of Americans, according to a new letter written by Senator Ron Wyden and obtained by Motherboard. Senator Wyden’s office asked the Department of Defense (DoD), which includes various military and intelligence agencies such as the National Security Agency (NSA) and the Defense Intelligence Agency (DIA), for detailed information about its data purchasing practices after Motherboard revealed special forces were buying location data. The responses also touched on military or intelligence use of internet browsing and other types of data, and prompted Wyden to demand more answers specifically about warrantless spying on American citizens. …

Posted in: Healthcare, Privacy