Pete Recommends – Weekly highlights on cyber security issues, June 19, 2021

Subject: Senate bill boosts penalties for cyber criminals
Source: GCN

New legislation aims to create stricter penalties for cyberattacks against critical infrastructure and give the Justice Department more options for bringing charges against criminals in foreign countries.The International Cybercrime Prevention Act is co-sponsored by Sens. Sheldon Whitehouse (D-R.I.), Lindsey Graham (R-S.C.) and Richard Blumenthal (D-Conn.). It essentially takes the existing legal statutes for racketeering, money laundering and forfeiture and “brings them to bear on cyber criminals,” Whitehouse said.

The bill permits law enforcement to seize funds generated from the sale of spyware and to take equipment such as illegal intercept devices used in the commission of hacking campaigns, ransomware and other nefarious activity, according to a fact sheet provided by the lawmakers.

The bill would also make it easier for DOJ to go after botnets by expanding the list of reasons the federal government can seek injunctive relief. Under the current law, DOJ can only seek relief when a botnet is engaged in fraud or illegal wiretapping. The new bill would broaden that activity to include the destruction of data, denial of service attacks and certain violations in the Computer Fraud and Abuse Act.

Subject: In Brazil, Criminals Steal Phones to Empty Victims’ Bank Account
Source: Gizmodoão Paulo gangs are now cracking into banking apps on stolen devices rather than pawning them off

That’s according to a report from Brazilian newspaper Folha de S.Paulo this week. As first spotted by 9to5 Mac, the report claims this kind of theft has been going on since the early days of the pandemic, but now specialized gangs have adopted the tactic to empty users’ bank accounts, and it’s put local authorities on high alert.
It remains unclear exactly how these criminals are bypassing security measures for the phones and banks involved. According to São Paulo police chief Roberto Monteiro, they appear to target devices that have already been unlocked by the owner.

In some cases, banks have refused to refund the stolen money to victims, arguing that their security systems didn’t fail but rather the clients were negligent by not regularly updating their passwords, Folha de S.Paulo reports. However, clients have fiercely pushed back in these cases. One victim currently involved in a legal battle with the São Paulo-based bank Bradesco said she hadn’t slacked on updating her passwords and her phone was closed when thieves took it. Another victim claimed he had enabled facial recognition and token-based authentication on his phone when it was stolen.

Subject: NSA: Test Unified Communications Patches Before Installing
Source: Nextgov

The National Security Agency is responding to a rise in popularity of systems among the defense industrial base that streamline various forms of communication—such as voice, video, and chat—over the internet, with guidance that recommends organizations test software updates and device configurations before applying them to their networks.“To reduce the chances of updates causing unforeseen problems on production servers, test the updates on a test network that approximates the production network,” reads the guidance NSA released Thursday.

The guidance is specifically for “Deploying Secure Unified Communications/Voice and Video over IP Systems.” The NSA notes malicious actors are particularly acquainted with such systems and outlined mitigations for various ways they could exploit them.


See also: NSA released a Cybersecurity Technical Report today that provides best practices and mitigations for securing Unified Communications (UC) and Voice and Video over IP (VVoIP) call-processing systems. The comprehensive report, “Deploying Secure Unified Communications/Voice and Video over IP Systems,” also describes potential risks to UC/VVoIP systems that aren’t properly secured…which references a 48-page PDF.

Subject: ‘An uprising’: Youth activists bring digital rights to forefront

A new youth group known as Encode Justice seeks to stir an “uprising for technology and algorithmic justice,” according to founder Sneha Revanur. The group’s goals range from fighting racially biased algorithms to protecting privacy rights. Ms. Revanur founded youth digital rights group Encode Justice last year after joining a successful campaign against state plans to use an algorithm to set prisoners’ bail terms, a system that critics said was racially biased.

“We’ve seen it in climate, we’ve seen it on the guns issue, but there hasn’t been an equivalent uprising for technology and algorithmic justice among my peers,” said Ms. Revanur, a high school senior from San Jose, California.

“We are the next generation of technologists, regulators, activists – it’s impacting our lives on a daily basis, and in the future, we have the most to lose,” she said during a lunch break between her classes.

In little over a year, Encode Justice has grown from being a small group of Ms. Revanur’s peers to encompassing more than a dozen chapters across the United States as well as teams dedicated to researching policy issues and campaign strategy.

Subject: Why employees need counterespionage training
Source: TechRepublic

Companies—large and small—need to be aware of espionage threats. If that seems a bit overboard, consider the dramatic increase in the number of incidents related to geopolitical cybercrime. “Many authoritarian governments are doing everything they can, including using their spy services, to build successful businesses and grow their economies,” explained Bill Priestap and Holden Triplett, co-founders of Trenchcoat Advisors, and adjunct professors at Georgetown University’s Walsh School of Foreign Service, in their Lawfare Institute article: The Espionage Threat to U.S. Businesses. “These nation-states are consciously building national champions to dominate industries to extend their national power—not just domestically but also worldwide. “This significantly changes the playing field.As to what this means, business owners must realize their competition now includes corporate rivals supported by nation-states having significant resources and capabilities. Priestap and Triplett suggest most businesses are unprepared for this, adding, “They have neither the information nor the tools they need to protect themselves…”

Also see

Subject: Anti-Vaxxers Review-Bomb Bars With Vaccine Requirements
Source: Gizmodo

With the weather heating up, hot vax summer is in full swing. Unfortunately, that also means anti-vaxxers are back on their faux-self-righteous bullshit, and they’ve reportedly been review-bombing bars that attempt to isolate vaccinated customers from unvaccinated ones.That’s according to a weekend report from the MIT Technology Review. The outlet spoke with several establishments that claimed to have been spammed with one-star reviews on Yelp and Google Reviews after requiring proof of vaccination or instituting separate policies for unvaccinated patrons, such as limiting them to outdoor seating or to-go orders. So-called review-bombing is a tactic anti-maskers have used throughout the pandemic, attempting to tank the average review score of businesses that enforce mask-wearing and other safety protocols widely promoted by health experts.

Subject: IT security company exec charged with cyberattack on Georgia hospital
Source: Becker’s Health IT

The COO of an Atlanta-based healthcare network security company has been arraigned on charges related to a cyberattack on Gwinnett Medical Center in 2018, according to a June 10 Department of Justice news release. Vikas Singla, 45, was indicted June 8 for allegedly conducting a cyberattack on the Lawrenceville, Ga.-based hospital that included disrupting phone service, stealing information from a digital device and disrupting network printer services. He was COO at Atlanta-based Securolytics at the time of the Gwinnett Medical Center breach, according to Mr. Singla’s LinkedIn account.

The Justice Department claims that Mr. Singla orchestrated the attack for financial gain. Mr. Singla was charged with 17 counts of intentional damage to a protected computer and one count of obtaining information from a protected computer…

Latest articles on cybersecurity:

Subject: New-era authentication key widens trusted access to federal resources
Source: FedScoop

The recent wave of highly public cyberattacks has cast a spotlight on last month’s White House executive order on cybersecurity, and the need for agencies to modernize their cybersecurity and authentication systems.The executive order’s call for implementing zero-trust architecture, and new requirements to focus on more modern authentication strategies, signals an important turning point for government, say cybersecurity experts.

Read the full report.

“This executive order will affect many organizations, both in the public and private sector, that work with the government [including] financial services, healthcare, the public sector, critical infrastructures, high tech, and education,” commented David Treece, Director Solutions Architecture at Yubico in a new report on modernized multifactor authentication (MFA) strategies.

The new directives lay out the need for agencies to implement a more multifaceted and modernized approach to authentication that can support today’s widely distributed and dynamically configured networks, according to a new report, produced by FedScoop and underwritten by Yubico.

The limits of CAC/PIV cards

The report highlights the rapidly evolving nature of authentication tools and the need for agencies to expand upon traditional public key infrastructure (PKI) methods. While the government’s long-established PKI-based Common Access Card (CAC) and Personal Identity Verification (PIV) credentials remain foundational to controlling access to defense and civilian systems respectively, they still have their limits.

Posted in: Computer Security, Cybercrime, Cybersecurity, Email Security, Encryption, Financial System, Healthcare, Social Media