Pete Recommends – Weekly highlights on cyber security issues, July 25, 2021

Subject: ‘Stop What You’re Doing and Read This,’ Says Snowden
Source: AP via Newser

(Newser) – An investigation by a global media consortium based on leaked targeting data provides further evidence that military-grade malware from Israel-based NSO Group, the world’s most infamous hacker-for-hire outfit, is being used to spy on journalists, human rights activists, and political dissidents, the AP reports. From a list of more than 50,000 cellphone numbers obtained by the Paris-based journalism nonprofit Forbidden Stories and the human rights group Amnesty International and shared with 16 news organizations, journalists were able to identify more than 1,000 individuals in 50 countries who were allegedly selected by NSO clients for potential surveillance. They include 189 journalists, more than 600 politicians and government officials, at least 65 business executives, 85 human rights activists, and several heads of state….

Subject: Amazon Cuts Off Service to NSO Spyware Firm Behind iPhone Hacks
Source: Gizmodo

The Israeli company has been accused of helping repressive governments hack journalists and dissidents all over the world. Amazon has cut off web hosting services for the NSO Group, an Israeli spyware firm that has been widely accused of aiding in the surveillance of journalists and political dissidents.

The move comes shortly after an extensive investigation into the widespread use of NSO’s commercial malware “Pegasus”—a product that has the ability to totally compromise phones and is thought to be used by dozens of governments throughout the world. Over the weekend, Amnesty International, the Washington Post, and a consortium of other news and research outlets began publishing stories related to “The Pegasus Project,” which reveals the extent to which the spyware has been used to target devices in dozens of countries—including those belonging to journalists, politicians, and human rights activists.

One of Amazon’s services, CloudFront, has apparently been instrumental in some of the most recent attacks that used this malware, Motherboard first reported.

The publication of “The Pegasus Project” has led to renewed international outrage over the apparent abuses connected to NSO’s products. The publication follows on the heels of multiple crises for the spyware firm—including a large lawsuit filed by the likes of Facebook, Microsoft, Google, and other large tech firms over the company’s apparent role in compromising their customers’ private accounts.

Subject: Protect your smartphone from radio-based attacks
Source: Help Net Security

By now, most of us are aware that smartphones are powerful computers and should be treated as such. It’s not a coincidence that most of the security tips given to smartphone users – such as refraining from opening suspicious links or downloading untrusted apps – also apply to PCs.But unlike PCs, smartphones contain a plethora of radios – typically cellular, Wi-Fi, Bluetooth and Near Field Communication (NFC) – that enable wireless communication in a variety of circumstances, and these radios are designed to remain turned on as the user moves through the world. It’s important for all smartphone users to understand the security implications of these wireless interfaces.

The headline here is that security gaps with these interfaces, whether baked into the protocol or found in a specific implementation, can allow attackers to force connections to untrusted equipment, giving them opportunities to extract data and even take control of the targeted device.

It’s been reported that sophisticated nation-state actors like Russia and China are highly skilled in using such RF-based techniques, allegedly targeting travelers when passing through airports and other chokepoints. But many of the tools for RF hacking are available to garden-variety hackers as well.

More about

RSS for Bluetooth articles:

Subject: VA Needs a Security Check For Its Social Security Number Reduction Tool
Source: Nextgov

A tool designed to protect the identity of veterans is itself in need of a security update.The Veterans Affairs Department’s Social Security Number Reduction, or SSNR, tool was recently migrated from a contractor-run environment to the agency’s own enterprise cloud and is in need of a security review before it can be used on VA systems.

Agencies have been trying to wean themselves off of Social Security numbers for nearly 15 years, going back to an Office of Management and Budget mandate issued in 2007. That push continues today, with lawmakers to the then-head of the Cybersecurity and Infrastructure Security Agency calling for an end to reliance on the number as a form of identity verification.

VA has the statutory authority to use SSNs as identifiers. However, the “increased availability of SSNs with the aggregation of other personal identifiers has exposed individuals to possible identity theft,” according to a request for information posted to “Thus, VA has taken steps to reduce and, where possible, eliminate the use of the SSNs in VA operations, programs and services.”

Subject: Connecticut pushes cybersecurity with offers of punitive damage protection
Source: GCN

Connecticut Gov. Ned Lamont signed a bill designed to encourage businesses in the state to beef up their cybersecurity. “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” will protect businesses from punitive damages resulting from a breach of personal data if they have adopted and adhere to industry-standard cybersecurity measures.The new law requires businesses to secure individuals’ names, Social Security numbers, taxpayer ID numbers, driver’s license numbers or other government identifiers; financial account numbers and passwords; medical or health insurance information; biometric information; and names or email address that are used in combination with a password or security to access online accounts.To be exempt from damages, an organization must conform to the current version of any recognized security framework such as the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity; Special Publications 800-171, 800-53 and 800-53a; the Federal Risk and Authorization Management Program’s FedRAMP Security Assessment Framework; the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense; or the ISO/IEC 27000 series.

Organizations already regulated by the state or federal government must keep their compliance with the Health Insurance Portability and Accountability Act, the Federal Information Security Modernization Act and the Health Information Technology for Economic and Clinical Health Act in order to avoid paying punitive damages.

Subject: Zero Trust-Like Approach Needed for Microelectronics Industry, Former DOD Official Says
Source: Nextgov

A former Defense Department official is recommending the U.S. take an approach to shoring up the microelectronics supply chain akin to the zero-trust model for cybersecurity rather than overemphasize onshoring and subsidizing as a silver bullets.As a global chip shortage rages, lawmakers are grappling with how to ensure not only that Americans are able to buy products like cars and smartphones, but also how DOD and the intelligence community can be sure the technologies they rely on are available and safe to use.

While it’s unlikely that a solution capable of handling a 13.2% year over year demand growth will materialize overnight, the crisis is attracting attention from the highest levels of the federal government. Two of the most prominent efforts in this area are an executive order President Joe Biden signed in February mandating supply chain reviews and in the Creating Helpful Invectives [sic] to Produce Semiconductors, or CHIPS, for America Act. The Senate-passed U.S. Innovation and Competition Act includes the more than $50 billion in funding needed to realize the CHIPS Act.

Lending an added sense of urgency to the semiconductor issue is competition with China, which is investing heavily in microelectronics. But during a hearing before the House Permanent Select Committee on Intelligence’s Strategic Technologies and Advanced Research subcommittee, a former deputy undersecretary of defense for research and engineering cautioned lawmakers against depending on the creation of trusted onshore foundries and the limitation of actors in the supply chain to only those who can be trusted as a solution.

Porter argued that this kind of approach actually makes the U.S. less secure, because it draws a false equivalency between onshoring and security—not to mention, closing the U.S. off from the rest of the global microelectronics enterprise isn’t feasible. Instead, she argued, the U.S. should replicate the zero-trust cybersecurity philosophy—which generally means taking a never-trust, always-verify approach and is being adopted across the federal government—for microelectronics.

The reality is the U.S. is never going to be able to control the entire semiconductor supply chain, Porter said. Instead, it’s better off working to help set international standards to hold the global industry accountable regardless of where a company is located.



Subject: FTC Adopts New Policy Supporting Right to Repair
Source: Gizmodo

Following an executive order from President Biden, today the Federal Trade Commission voted unanimously to adopt a new a policy designed to support the growing right to repair movement. Passed in a 5-0 decision, the FTC’s new policy is designed to make it easier for consumers to fix their own devices and also pledges to step up investigations of companies suspected of having unlawful repair restrictions. That’s something the FTC admitted has not been an “enforcement priority for the Commission for a number of years.”

No new laws have been set in stone just yet, but the FTC’s new policy outlines five things it’s looking to improve going forward. The first is that the FTC will now prioritize investigations into unlawful repair restrictions covered under laws like the Magnuson-Moss Warranty Act. Additionally, the FTC says it will urge the public to submit complaints and info about companies that are potentially violating relevant laws, while also keeping a closer eye on private litigation to help decide which companies may require further investigation.

[What happens when the end-user repaired product is sold? esp. if command modules have been modified? warranty? ]

Subject: New emergency alerts set to begin in July; here’s what they mean
Source: Nexstar Media via WTAJ

FILE – In this Jan. 3, 2019 file photo a mobile phone customer looks at an earthquake warning application on their phone in Los Angeles. Earthquake early warning alerts will become publicly available throughout California for the first time this week, potentially giving people time to protect themselves from harm, the Governor’s Office of Emergency Services said Wednesday, Oct. 16, 2019. Warnings produced by the ShakeAlert system will be pushed through two delivery systems: a cellphone app called MyShake and the same wireless notification system that issues Amber Alerts, meaning people may receive both notifications.

(WTAJ) — The National Weather Service (NWS) announced Thursday that Wireless Emergency Alerts(WEA) for “destructive” weather will begin being sent to phones on July 28.

Starting July 28, 2021 the National Weather Service will begin to alert people on the severity and potential impacts from hail and thunderstorm winds by adding a “damage threat” to Severe Thunderstorm Warnings. The NWS said it’s similar to the tornado and flash flood warnings.

“Destructive” and “Considerable” Damage Threat Categories – The NWS has recently developed three categories of damage threats for severe thunderstorm warnings to distinguish between high-impact and low-impact events. These tags and additional messaging are designed to promote immediate action, based on the threats…

Subject: Accused Capitol Rioter Forced to Unlock Laptop With Face Recognition
Source: Gizmodo

U.S. courts are split on whether forced device unlocks violate the Fifth Amendment, and the Supreme Court has yet to step in.A federal judge has ordered a man accused of participating in the deadly Jan. 6 insurrection at the Capitol to unlock his laptop for investigators, CNN reported on Wednesday.

Investigators seized the Microsoft Surface Pro laptop on a search warrant earlier this year, but claim to have been unable to access its hard drive. The judge in the case ordered the defendant Guy Reffitt, who is facing five federal charges including bringing a handgun to the riot and obstruction of justice, to sit in front of the laptop and unlock it via face recognition. Reffitt, a member of the far-right Texas Three Percenter militia, allegedly took part in the failed attempt to disrupt Congressional certification of Joe Biden’s victory in the 2020 elections on behalf of Donald Trump, and later threatened to execute his daughter and son as “traitors” if they turned him in to authorities.

Courts have long issued contradictory rulings on whether forced device unlocks violate the Fifth Amendment right against self-incrimination. According to Ars Technica, federal courts in Indiana, Pennsylvania, Vermont, and Colorado (and New Jersey), as well as state courts in Virginia and Massachusetts, have all ruled that suspects can be forced to unlock phones. However, federal courts in Wisconsin and Pennsylvania, as well as a state court in Florida, have ruled the opposite. The legalities surrounding biometric security, which in this case required merely that the suspect be placed in front of the device rather than provide login details, are even murkier. A federal court in California ruled in 2019 that investigators can’t compel a suspect to unlock a device with face recognition or a fingerprint scan, finding it identical to a password.

Subject: Scam Alert: How to Spot a Bogus Job
Source: NerdWallet

According to the FBI, the newest scams typically work like this:

  • Criminals create a domain name similar in appearance to a legitimate company. They may add a space or flip a digit in the URL — a change so small it’s likely to be overlooked.
  • Next they post job openings on job boards, directing applicants to the spoofed sites.
  • People applying either on job boards or the fake sites get an email requesting an interview, which is conducted remotely.
  • Applicants are told they got the job or are finalists.
Posted in: Criminal Law, Cybercrime, Cybersecurity, Environmental Law, Gadgets/Gizmos, Legal Research, Privacy, Technology Trends