Pete Recommends – Weekly highlights on cyber security issues, July 18, 2021

Subject: YouTube Algorithm Recommends Videos that Violate the Platform’s Very Own Policies
Source: Mozilla Investigation via beSpacific

Mozilla Investigation: “YouTube’s controversial algorithm is recommending videos considered disturbing and hateful that often violate the platform’s very own content policies, according to a 10-month long, crowdsourced investigation released today by Mozilla. The in-depth study also found that people in non-English speaking countries are far more likely to encounter videos they considered disturbing. Mozilla conducted this research using RegretsReporter, an open-source browser extension that converted thousands of YouTube users into YouTube watchdogs. People voluntarily donated their data, providing researchers access to a pool of YouTube’s tightly-held recommendation data. The research is the largest-ever crowdsourced investigation into YouTube’s algorithm…”

Subject: DHS assesses Privacy Technology Demonstration results
Source: Homeland Preparedness News

U.S. Department of Homeland Security (DHS) Science and Technology Directorate (S&T) officials have assessed the 2020 Privacy Technology Demonstration results.The endeavor sought to advance efforts to protect the privacy of individuals appearing in photos and videos. Five privacy systems participated in the event as a means of demonstrating the ability to detect and blur faces in an S&T-created video.

“In recent years, we’ve observed tremendous improvement in face recognition technologies,” Arun Vemury, director of DHS S&T’s Biometric and Identity Technology Center, said. “The purpose of this research is to nurture the development of privacy enhancing technologies that can be used by organizations that have an interest in operating various types of camera systems, but recognize concerns related to face recognition surveillance.”

Subject: Twitter Verifies Six Fake Accounts Including This Cat
Source: Gizmodo

Twitter accidentally verified at least six accounts that were likely part of a spam botnet, according to a researcher of disinformation and a new report from the Daily Dot. The accounts allegedly used fake photos created by software similar to This Person Does Not Exist as well as one photo of a cat that most likely does exist.Twitter user Conspirador Norteño first identified the fake accounts, which had all been started less than a month ago on June 16. Norteño identified the six verified accounts as belonging to a malicious group of over a 1,000 accounts, though it’s not clear who’s behind the fake Twitter army.

“These 976 accounts are part of an astroturf botnet consisting of (at least) 1212 accounts,” Norteño tweeted on Monday.

Subject: Cellebrite Phone-Cracking Tools Used to Target More Journalists
Source: Gizmodo

The firm, whose data extraction tools are a police favorite, is facing intense scrutiny for the ways in which its products are abused by governments. Ahead of its planned IPO in the U.S., Cellebrite faces fresh flames after its phone-cracking tools were yet again used to violate the privacy of journalists.

The unscrupulous digital forensics firm sells data extraction tools to government authorities throughout the world, helping police crack into suspects phones and analyze their data. Critics have frequently criticized the company for its sales to repressive governments—as well as its apparent inability to meaningfully respond to the human rights abuses committed by those clients.

In May, the Committee to Protect Journalists published a report revealing the horrendous ordeal of Oratile Dikologang, a Botswana-based reporter who was arrested by police last year on bizarre charges and allegedly tortured. In the course of his arrest, authorities used Cellebrite to unlock Dikologang’s phone and extract information about all of his contacts and sources.

Now CPJ has uncovered another episode in which Cellebrite’s technology was used to invasively target a journalist: Tsaone Basimanebotlhe, a reporter for the Botswana newspaper Mmegi, says that police came to her village in 2019 and served her with a warrant—not to arrest her, but to seize her devices.

Subject: New website – The U.S. Government’s One-Stop Location to Stop Ransomware
Source: CISA

The U.S. Government launched a new website to help public and private organizations defend against the rise in ransomware cases. is a whole-of-government approach that gives one central location for ransomware resources and alerts. We encourage organizations to use this new website to understand the threat of ransomware, mitigate risk, and in the event of an attack, know what steps to take next.The webpage is an interagency resource that provides our partners and stakeholders with ransomware protection, detection, and response guidance that they can use on a single website. This includes ransomware alerts, reports, and resources from CISA, the FBI, and other federal partners.

We look forward to growing the information and resources on and plan to partner with additional Federal Agencies who are working to curb the rise in ransomware.


Sorry: no RSS feed

Subject: MAGA-branded ‘Freedom Phone’ Is a Major Security Hazard
Source: Gizmodo

Nobody can blame GOP voters for wanting a phone that prioritizes privacy and autonomy, but the Freedom Phone can’t be trusted.Be it Parler, Gab, or GETTR, recent times have seen no shortage of dollar-sign-eyed entrepreneurs looking to capitalize on conservative America’s disdain for “liberal” Silicon Valley. It was only a matter of time before someone tried to invent the MAGA phone.

Er, make that…the “Freedom Phone.” The device, which launched Thursday, is the product of Erik Finman, a 22-year-old crypto-millionaire who says that he wants America’s patriots to take “back control” of their lives from the tech oligarchy. Finman’s phone, which costs $499, claims to offer conservatives a way to be free of Big Tech’s “spying” and “censorship”—though it is radically vague on the details. Like a random handgun, the phone should be treated as if it were loaded and dangerous because we simply don’t know what’s under the hood.

Before we get into the specifics of why this device probably sucks, let me just say that the desire to have a phone that is dedicated to protecting your autonomy and privacy is a reasonable one—and should be encouraged. That said, I don’t think the Freedom Phone provides that. Actually, aside from its overt partisan bent, it’s impossible to tell what kind of device this is because Finman and his acolytes haven’t provided any information about it.

“Based on photographs from the company website a number of Internet sleuths identified that the device has the same form-factor, shape, and appearance of a Umidigi A9 Pro,” said Hickey, via email. “This device is a drop-shipped customizable Android-based phone that can be ordered from ASIAPAC region and customized to a project’s requirements,” he said, clarifying that such devices can be “bought and shipped in bulk with custom logos and branding so as to give the appearance of a phone that has been designed for a unique purpose but is actually just a common cheap Android-based smartphone with core components produced in Taiwan and the surrounding areas.” It’s also very cheap: the A9 Pro is currently available for about $120, much less than the Freedom Phone’s $500.


Subject: State Data Privacy Bills Growing More Widespread
Source: Nextgov

A bill to establish “data rights” for Ohioans, including the ability to have personal data deleted and request it not be sold, was introduced this week in the Ohio General Assembly..House Bill 376, known as the Ohio Personal Privacy Act, would require businesses to post privacy notices and disclose where data is sold. It also would require businesses to adhere to specified data standards. It encourages them to adopt the National Institute of Standards and Technology Privacy Framework as a standard for developing a privacy policy.

If passed, the privacy act would primarily apply to firms with $25 million or more in gross annual revenue in Ohio or businesses that control or process large amounts of data. Some companies and industries would be exempt.

Ohio joins more than 20 states that have introduced data privacy legislation, according to Gov. Mike DeWine’s office.


Subject: Hackers hit Florida Blue with cyber-spoofing attack, expose 30,000+ members’ info
Source: Becker’s Health IT

Jacksonville-based Florida Blue, part of Blue Cross Blue Shield, recently began notifying more than 30,000 members that their personal information was exposed during a cyber-spoofing attack on the payer’s user database.Florida Blue’s IT security team on June 8 discovered numerous unauthorized login attempts to the Florida Blue online member portal, the company said in a June 30 notice. After investigating the activity, the team realized that Florida Blue had been targeted in a cyber-spoofing attack.

A hacker orchestrated the attack by using a large database of user identifiers and corresponding passwords available on the internet to impersonate members and gain improper access to Florida Blue’s online member portal. The health insurer said the excessive number of login failures “strongly indicates that the ID and password combinations used during the incident did not come from Florida Blue systems, but rather were compiled from third-party websites where ID and password information were previously compromised,” according to its online notice.


Subject: NIST Outlines Security Measures for Software Use and Testing Under Executive Order
Source: NextGov

Eyes now turn to the Office of Management and Budget to issue requirements for federal agencies and contractors based on NIST’s work. The National Institute of Standards and Technology met crucial obligations laid out for it in a May 12 executive order with the publication of documents recommending minimum standards for the verification and use of software in the federal government.

The order was created in response to hackers infiltrating government contractor SolarWinds to distribute malware to thousands of victims, including federal agencies, through what seemed to be a legitimate software update from the IT management firm. The attackers also exploited weak passwords and authentication controls to move further within victim systems.

NIST was tasked with identifying security measures for the use of critical software and recommending minimum standards for software vendors to test their products before offering them to the government by July 11 and issued a bulletin linking to the documents on July 9. NIST was also responsible for defining ‘critical software.’

The ball now moves to the court of the Office of Management and Budget. Within 30 days of NIST’s guidelines being published, OMB must require federal agencies to implement the security measures NIST outlined for using of critical software, including through their procurements, according to the order…

Posted in: Blockchain, Civil Liberties, Cybercrime, Cyberlaw, Cybersecurity, Legal Research, Legislative, Privacy, Technology Trends