Pete Recommends – Weekly highlights on cyber security issues, May 23, 2021

Subject: EufyCam Users Should Turn Off Their Security Cams Immediately
Source: Gizmodo
https://gizmodo.com/eufycam-users-should-turn-off-their-security-cams-immed-1846908208

In the latest privacy woe to hit security cam owners, folks using Anker’s EufyCam products are reporting unwarranted access to random people’s camera feeds. Eufy hasn’t addressed any specific issues but acknowledged there’s a bug and a fix.On Reddit and across multiple Eufy community forums, users are describing being logged into stranger’s cameras, giving them full access not only to a live feed of a stranger’s personal property but their cloud storage and admin controls, too. Right now, the majority of users reporting this security snafu seem to be based in Australia and New Zealand. While Gizmodo wasn’t able to independently verify the issue, one EufyCam user confirmed to AppleInsider that it hit their system as well.

Subject: City Settles for $350,000 After Suing Bloggers for Opening Dropbox Links It Sent Them
Source: Gizmodo
https://gizmodo.com/california-city-settles-for-350-000-after-suing-blogge-1846913355

The city of Fullerton, California, has agreed to settle for $350,000 in a lawsuit brought by two bloggers it falsely accused of breaking into the municipal government’s Dropbox account. In reality, administrators just sent the intrepid journalists a public link that the city would have preferred they didn’t click.. Ars Technica reported that Joshua Ferguson and David Curlee, will receive $60,000 each after a Fullerton city employee mistakenly responded to a request for records on police misconduct by emailing them not only the requested records but a link to an openly accessible Dropbox “Outbox” folder containing city records that hadn’t yet been cleared for release by a city attorney. Ferguson and Curlee downloaded 19 .zip files, five of which didn’t have passwords themselves, alongside the documents they were supposed to receive.


Subject: Colonial Pipeline Cyberattack Highlights Need for Better Federal and Private-Sector Preparedness
Source: U.S. GAO
https://www.gao.gov/blog/colonial-pipeline-cyberattack-highlights-need-better-federal-and-private-sector-preparedness-infographic

The recent cybersecurity attack on the Colonial Pipeline Company has led to temporary disruption in the delivery of gasoline and other petroleum products across much of the southeast United States. In today’s WatchBlog post, we look at this attack and the federal government and private-sector response. We here at GAO have been warning of cybersecurity threats to critical infrastructure for many years, and the need to strengthen the federal role in protecting critical infrastructure, which we reiterated in a report issued in March.

Pipeline Vulnerabilities

More than 2.7 million miles of pipelines transport and distribute oil, natural gas, and other hazardous products throughout the United States. Protecting the nation’s pipeline systems is a responsibility shared by both the federal government and private industry—with private sector pipeline operators responsible for implementing security measures for their assets. The figure below shows the U.S. pipeline systems’ basic components and vulnerabilities. While potential physical attacks are always a concern, the pipeline systems’ vulnerabilities can also include various types of cyberattacks, such as infiltration of company business systems or disruption of the systems that control the pipeline’s operations.

+ infographic


Subject: Amazon Extends Moratorium on Police Use of Its Facial Recognition Software
Source: Gizmodo
https://gizmodo.com/amazon-has-extended-the-moratorium-on-police-use-of-its-1846922667

Law enforcement officials are still banned from using Amazon’s facial recognition technology “until further notice,” the company said on Wednesday, a decision that effectively extends a yearlong moratorium that had been set to expire on June 1.Known as Rekognition, the program in question has been widely criticized over the years for its dubious efficacy — it once incorrectly identified 28 members of Congress as criminals — and its tendency to, surprise surprise, disproportionately misidentify women and people of color. In 2019, two independent studies concluded that Rekognition’s facial recognition software did, in fact, return inaccurate or biased results, and some police precincts even objected to using the software on the grounds that it gave off “a Big Brother vibe.”

In a statement issued at the time of the moratorium, Amazon said that it had “advocated that governments should put in place stronger regulations to govern the ethical use of facial recognition technology.”


Subject: Protecting agency assets begins with identity-centric security
Source: GCN
https://gcn.com/articles/2021/05/19/identity-centric-security.aspx

The more IT environments become distributed, cloud-based and mobile, the more securing identities gravitates to the center of infosec strategy. As Jay Gazlay, a technical strategist at the Cybersecurity and Infrastructure Security Agency recently summed up for members of the National Institute of Standards and Technology’s Information Security and Privacy Advisory Board: “Identity is everything now. We can talk about our network defenses, we can talk about the importance of firewalls and network segmentation, but really, identity has become the boundary, and we need to start readdressing our infrastructures in that manner.”

No identities are more imperative to secure than those with privileged access to systems, data, applications and other resources. With the power to install and remove software, upgrade operating systems and modify and configure applications, privileged credentials and access can fast-track access to sensitive assets for an attacker or give malware the foothold it needs to spread and escalate an attack.

In 2019, the Office of Management and Budget issued its Identity, Credentialing, and Access Management (ICAM) policy. It requires that agencies “shift from simply managing access inside and outside of the perimeter to using identity as the underpinning for managing the risk posed by attempts to access federal resources made by users and information systems.” Now, identity-centric security, along with zero trust, can no longer be ignored. In fact, identity-centric security, particularly privileged-access management (PAM) controls, are also an essential piece of enabling a zero-trust architecture.


Subject: US to ramp up tracking of domestic extremism on social media
Source: Associated Press via WTAJ
https://www.wearecentralpa.com/news/national-news/us-tracking-domestic-extremism/

WASHINGTON (AP) — The Department of Homeland Security plans to ramp up social media tracking as part of an enhanced focus on domestic violent extremism. While the move is a response to weaknesses exposed by the deadly U.S. Capitol insurrection, it’s raising concerns about undermining Americans’ civil liberties….

DHS in recent weeks has announced a new office in its intelligence branch focusing on domestic extremism and a new center to facilitate “local prevention frameworks” that, according to a statement, can better identify people “who may be radicalizing, or have radicalized, to violence.”

The overall effort is in its early stages. The department is exploring partnerships with tech companies, universities, and nonprofit groups to access publicly available data. DHS will also train analysts on tracking social media and how to distinguish a threat from the exercise of free speech.

DHS officials say the goal is to better monitor and respond to story lines percolating on social media that could incite violence. With a more focused effort, the department could better assess domestic threats and move to protect potential targets of attacks, the officials said.


Subject: Cyber Attacks – A Rising Threat (Infographic)
Source: IBM via LinkedIn
https://www.linkedin.com/feed/update/urn:li:share:6800604930395664385/

Cybercrimes are fast and frequent. The best protection is awareness of threats and smart digital habits.

Posted in: AI, Computer Security, Cybercrime, Cybersecurity, Data Mining, Energy, Legal Research, Privacy, Social Media