Pete Recommends – Weekly highlights on cyber security issues, May 2, 2021

Subject: Top White House cyber official says action taken so far not enough to deter further Russia cyberattacks
Source: CNNPolitics

Washington (CNN) The White House’s top official on the response to the massive SolarWinds hack says the sweeping measures announced by the Biden administration against Russia are unlikely on their own to prevent Moscow’s malicious cyber activity against the US and did not dispute that the hackers responsible for the massive breach are still lurking on American networks.
Expelling Russian hackers from US government networks and getting them to re-consider their malign behavior is going to take time, more comprehensive dialogue and fundamental changes to American cybersecurity, deputy national security adviser Anne Neuberger told CNN in an interview.

A week after the Biden Administration called out Russia’s foreign intelligence service for the first time for carrying out the most serious breach ever of US government networks, Neuberger didn’t deny that Russian hackers are active inside those networks and made clear she hasn’t yet seen a significant change in Russia’s malicious behavior in cyberspace….

“To really shape a country’s use of cyber, you have to shape the calculus they use on the value and the cost,” she added. “The SVR is a sophisticated, persistent actor. They play a role as part of Russia’s intelligence collection, as part of their malign influence mission. And we know that to shape that calculus is not going to be one action.”

Cyber response options presented to NSC – In the weeks of discussions leading up to the announcement, various agencies sent a range of cyber response options to the National Security Council for consideration, according to a source familiar with the planning. It remains unclear whether the Biden administration has plans to act on any of those options.

The menu of potential cyber responses presented to the NSC only consisted of options that are considered legal, ethical, moral and proportional, the source added, noting that it did not include anything that would be considered escalatory or cause serious blowback.

A primary reason is that US cyber defenses aren’t hard or modern enough, an issue the White House says is going to be addressed with a new executive order in the coming weeks. Despite Neuberger’s senior role in intelligence and cybersecurity under President Donald Trump, she says “inheriting a crisis” in SolarWinds exposed how serious the country’s vulnerabilities are.

Subject: Air Fryer Hacking: Cosori Kitchen Appliance Security Flaws Found
Source: Forbes

The internet of not so smart things is a security and privacy nightmare, no doubt about that, but some vulnerabilities are more worrying than others.

Last year I reported on a robot vacuum cleaner that could be hacked to spy on the user. Out of the lab and in the real world, this would require a firmware update, access to the local network and the correct ambient light and sound levels to work.

There are, truth be told, much easier ways to use technology to eavesdrop on someone.

Smart lock issues, yep. Coffee machine ransomware, less so. Connected car hacking and even permanently locking an internet-connected chastity belt, well, yeah.

Air fryer hacking, not so much.

“Security issues in IoT devices, even with complex exploitation scenarios, are concerning because often a user can usually never easily tell if a device is vulnerable to an issue or even if a device has already been compromised” Craig Williams, the Cisco Talos director of outreach, told me. With regards to the air fryer vulnerabilities, Williams says “in CVE-2020-28593, for example, the bug could be used to implant malicious firmware into the device. This could then be used for any number of nefarious purposes, perhaps most likely as a proxy point for attackers to route their traffic through during future campaigns.”

Subject: FBI-DHS-CISA Joint Advisory on Russian Foreign Intelligence Service Cyber Operations
Source: CISA

The Federal Bureau of Investigation (FBI), Department of Homeland Security, and CISA have released a Joint Cybersecurity Advisory (CSA) addressing Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and Yttrium—continued targeting of U.S and foreign entities. The SVR activity—which includes the recent SolarWinds Orion supply chain compromise—primarily targets government networks, think tank and policy analysis organizations, and information technology companies and seeks to gather intelligence information.This CSA complements the CISA, FBI, and National Security Agency (NSA) Joint CSA: Russian SVR Targets U.S. and Allied Networks and provides tactics, tools, techniques, and capabilities to help organizations conduct investigations and secure their networks.

Subject: CISA and NIST Release New Interagency Resource: Defending Against Software Supply Chain Attacks
Source: CISA

A software supply chain attack—such as the recent SolarWinds Orion attack—occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software can then further compromise customer data or systems.To help software vendors and customers defend against these attacks, CISA and the National Institute for Standards and Technology (NIST) have released Defending Against Software Supply Chain Attacks. This new interagency resource provides an overview of software supply chain risks and recommendations. The publication also provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

CISA encourages users and administrators to review Defending Against Software Supply Chain Attacks and implement its recommendations.

Subject: A Better Way to Spot Deep-Faked Satellite Images
Source: Nexgen

Training AIs to look at 26 subtle features may help thwart attempts to peddle fraudulent imagery.Computer-generated satellite “photos” can be very difficult for humans and other machine learning algorithms to detect, a growing concern of national security officials who fear that doctored images might find their way into troops’ hands or be used to sway public opinion. But help may be on the way. Researchers this week published a new method for detecting faked satellite images, even those that would normally fool advanced computer detection techniques as well as trained human eyes.

The team from the University of Washington started by creating the best fakes they could. Using a tool called CycleGAN, they created a generative adversarial network that pitted two artificial intelligence algorithms against one another. The first AI worked to spot fake images, and the second identified the factors that the first AI used to find the fakes and used those lessons to produce even more flawless frauds. Ultimately, the team created a set of 8,064 satellite images, including real images of Tacoma and Seattle, Washington, and Beijing — and faked ones that combined imagery of the three cities.

The FBI last month warned that they anticipate much greater use of deep fakes in the months ahead.


Subject: Covid-19 Contact Tracing on Android Is Not So Private After All
Source: Gizmodo

At the start of the pandemic, Apple and Google scrambled to enable covid-19 contact tracing on their respective smartphone operating systems. The feature, which works across iOS and Android, was designed to help folks quickly determine if they’d been exposed to the virus by simply enabling a contact-tracing setting. Both companies had promised that pertinent data collected from the features, like where you’d been and who you’d passed by, would remain relatively anonymous and that only public health agencies would have access to that information.Unfortunately, the opposite was true for the Android version of covid-19 tracing tool. The Markup published a report of a significant privacy flaw that allows hundreds of preinstalled apps offered by major Android manufacturers to access sensitive data. Apps like the Samsung Browser and Motorola’s MotoCare have grandfathered access to system logs for analytics and crash reports, which is where the data is stored.

The contact-tracing tools work by exchanging anonymized Bluetooth signals with other phones that have the ability enabled. (On Android, you can flip it on with a switch in the device settings menu.) Those signals change every 15 minutes so that individual users aren’t identifiable, created from a key that’s refreshed every 24 hours. The signals generated and received by an Android phone’s contact tracing are then saved into the device system logs. It’s there that Samsung, Motorola, Huawei, and other major Android players have automatic access to that data.

Subject: Man Banned From Carrying ‘Loose QR Codes’ After Altering Covid Check-In Signs
Source: Gizmodo

A man in the Australian state of South Australia was arrested Wednesday after allegedly placing his own QR codes on two official covid-19 check-in signs, according to police in South Australia. The man was granted bail with one very specific condition: He can’t carry “loose QR codes” anywhere.
The government of South Australia operates an app called “covid-safe check-in” that allows users to scan a QR code at local businesses and events, giving the information to contact tracers when there’s been a confirmed case of covid-19 in the area. But some people have been incredibly hostile to the program, believing it’s an unreasonable invasion of privacy.The 51-year-old man who allegedly put up the the fake QR codes, identified as Colin Mark Davies by local news site Adelaide Now, was charged on Wednesday with two counts of obstructing operations related to covid-19, a crime under emergency powers granted during the pandemic…

Subject: FTC Warns the AI Industry: Don’t Discriminate, or Else
Source: Nextgov

The U.S. Federal Trade Commission just fired a shot across the bow of the artificial intelligence industry. On April 19, 2021, a staff attorney at the agency, which serves as the nation’s leading consumer protection authority, wrote a blog post about biased AI algorithms that included a blunt warning: “Keep in mind that if you don’t hold yourself accountable, the FTC may do it for you.”The post, titled “Aiming for truth, fairness, and equity in your company’s use of AI,” was notable for its tough and specific rhetoric about discriminatory AI. The author observed that the commission’s authority to prohibit unfair and deceptive practices “would include the sale or use of – for example – racially biased algorithms” and that industry exaggerations regarding the capability of AI to make fair or unbiased hiring decisions could result in “deception, discrimination – and an FTC law enforcement action.”

Bias seems to pervade the AI industry. Companies large and small are selling demonstrably biased systems, and their customers are in turn applying them in ways that disproportionately affect the vulnerable and marginalized. Examples of areas where they are being abused include health care, criminal justice and hiring.

Whatever they say or do, companies seem unable or unwilling to rid their data sets and models of the racial, gender and other biases that suffuse society. Industry efforts to address fairness and equity have come under fire as inadequate or poorly supported by leadership, sometimes collapsing entirely.


Subject: SSA Inspector General: New Tactics for Government Imposters
Source: Social Security Matters

Last month, we partnered with our Office of Inspector General (OIG) for the annual National “Slam the Scam” Day to help you learn how to identify and avoid government imposter scams. These scams are widespread across the United States and often involve Social Security number-related issues. Scammers’ tactics continue to evolve.
Most recently, the OIG has received reports of phone scammers creating fake versions of the identification badges most Federal employees use to gain access to Federal buildings. The scammers may text or email photos of the fake badges to convince potential victims of their legitimacy. These badges use government symbols, words, and even names and photos of real people, which are available on government websites or through internet searches.If you receive a suspicious letter, text, call or email, hang up or do not respond. You should know how to identify when a call is really coming from Social Security.

Frauds & Scams

Office of the Inspector General

Tags: fraud, Office of the Inspector General, scams, telephone scam

Subject: Ransomeware Task Force Launches Comprehensive Framework to Combat Ransomware
Source: Institute for Security + Technology via beSpacific

Institute for Security and Technology – A Comprehensive Framework for Action: “Ransomware is no longer just a financial crime; it is an urgent national security risk that threatens schools, hospitals, businesses, and governments across the globe. This is not a problem that any one entity can solve. Over 60 experts from industry, government, law enforcement, civil society, and international organizations worked together to produce this comprehensive framework, which breaks down siloed approaches and advocates for a unified, aggressive, comprehensive, public-private anti-ransomware campaign. These recommendations are informed by a deep bench of experts and are immediately actionable, together forming a framework to reduce this criminal enterprise. It will take nothing less than our total collective effort to mitigate the ransomware scourge. Read the report now to learn our path forwards…”

Subject: Contract Tracing Breach In Pennsylvania Impacts Private Information Of 72,000 People
Source: CBS Pittsburgh

HARRISBURG, Pa. (AP) — Employees of a vendor paid to conduct COVID-19 contact tracing in Pennsylvania may have compromised the private information of at least 72,000 people, including their exposure status and their sexual orientation, the state Health Department said Thursday.

Agency spokesman Barry Ciccocioppo said in an email it recently learned workers at Atlanta-based Insight Global “disregarded security protocols established in the contract and created unauthorized documents” outside the state’s secure data system.

Posted in: Big Data, Criminal Law, Cybercrime, Cybersecurity, Economy, Financial System, Government Resources, Healthcare, Legal Research, Privacy