Pete Recommends – Weekly highlights on cyber security issues, July 4, 2021

Subject: App Maker Turns Gig Workers Into Military Assets
Source: Gizmodo

A San Francisco tech company paid millions by the U.S. military has turned an army of overseas cellphone users into a sweeping open-source intelligence network, gleaning data from cell towers and wifi hotspots in countries long engulfed by armed conflict with American forces and allies.Citing federal spending records and other documents, including interviews with former employees, the Wall Street Journal reported Thursday that Premise Data Corp., a firm launched in 2013, has pitched a range of defense agencies on turning a global network of gig workers into unwitting intelligence gatherers across as many as 43 foreign countries.

A phone app developed by the company, also called Premise, allows users to complete seemingly innocuous tasks in exchange for small payments. Common assignments include photographing buildings, such as religious sites and financial institutions, and completing surveys crafted to provide insight on local populations. How exactly this data is used by Premise’s defense agency and private contractor clients is only vaguely described. But in addition to benign uses acknowledged by the company—such as gauging “vaccine hesitancy” and “susceptibility to foreign interference and misinformation in elections”—the Journal points to offers by the company to scout positions in conflict regions eyed by military commanders.

Subject: The US Takedown of Iranian Media Sites Extends a Thorny Precedent
Source: WIRED

Free speech advocates raised concerns after the Justice Department seized more than 30 domains this week.

In a surprise action on Tuesday, the United States government seized more than 30 website domains connected to Iran’s government, disrupting access to multiple state-backed media outlets. US officials said the action stemmed from terrorist disinformation distributed on the sites and their violation of sanctions. But press freedom advocates caution that the takedowns have much broader implications for free speech rights and foreign relations alike.

“It’s really unclear why the US government acted on these particular sites and why now, or what their standard is for intervention,” says Evelyn Douek, a research scholar at Columbia University’s Knight First Amendment Institute and a lecturer at Harvard Law School. “One of the core principles of free speech rights is that government restrictions on speech should be transparent and justified, and that’s not happening as much as it should.”

The operation was not the first time US government agencies have targeted Iranian state-backed news sites. But domain seizures can only disrupt service for so long, and sites typically return with a modified URL. Press TV quickly said on Tuesday that it had transitioned from a “.com” to a “.ir” address, which would not be managed by a US-based domain registrar.

Subject: How to Make Sure Your Browser Extensions Are Safe
Source: WIRED

As useful as all those add-ons can be, don’t get complacent when it comes to making sure they’re also secure. Browser extensions can be hugely useful, plugging gaps in functionality, adding cool new features and options, and generally just making life on the web more convenient.

At the same time, they have the potential to be a serious security risk—many ask to see everything you see online, some change key settings inside your browser, and they can operate and communicate with their developer (or with advertisers or other parties) in the background without your knowledge.

We don’t want to discourage you from using your favorite extensions, but you should definitely make sure the ones you’re using are safe.



Subject: New Laws Are ‘Probably Needed’ to Force US Firms to Patch Known Cyber Vulnerabilities, NSA Official Says
Source: Nextgov

Too many firms are shying away from replacing old gear that is only getting easier for criminals to attack.The vast majority of cyber attacks exploit known vulnerabilities that could be fixed by patching older software and replacing older computing gear. But that costs money, and legislation will likely be needed to force companies to make these fixes soon — before the kind of AI-powered tools used by Russia and China become commonplace among smaller-scale hackers, said Rob Joyce, who leads the National Security Agency’s Cybersecurity Directorate.

“The biggest problem is historical tech debt,” said Joyce, meaning old computers and software that aren’t up-to-date on the most recent patches against attackers. “That means we have to be investing in refresh. We have to be investing in the defensive teams. We have to be investing in organizations that will track, follow and upgrade to close out those vulnerabilities and from where I sit, there’s probably going to have to be some regulation over time.” Joyce made his remarks during a pre-taped session that aired on Friday during the sixth annual Defense One Tech Summit.

“I think [artificial intelligence] is going to be more of an enabler in the crime area where people have that backdoor unlocked, because it’ll make it so much faster [for criminal groups] to recognize and realize vulnerabilities. And we’re already seeing that, you know, with these big internet-scale scanners that look across the totality of the internet, multiple times a day, and provide databases where you can search for a particular feature. So when a new class of vulnerability or exploit is out there people can immediately identify the machines that are vulnerable much faster than the teams can get there to patch. So that’s where I see the near and midterm problem from the offensive application of AI and [machine learning]” he said.

Subject: Scientist Finds Early Coronavirus Sequences That Had Been Mysteriously Deleted
Source: The New York Times

About a year ago, more than 200 data entries from the genetic sequencing of early cases of Covid-19 in Wuhan disappeared from an online scientific database. Now, by rooting through files stored on Google Cloud, a researcher in Seattle reports that he has recovered 13 of those original sequences — intriguing new information for discerning when and how the virus may have spilled over from a bat or another animal into humans.

The new analysis, released on Tuesday, bolsters earlier suggestions that a variety of coronaviruses may have been circulating in Wuhan before the initial outbreaks linked to animal and seafood markets in December 2019.

The genetic sequences of viral samples hold crucial clues about how SARS-CoV-2 shifted to our species from another animal, most likely a bat. Most precious of all are sequences from early in the pandemic, because they take scientists closer to the original spillover event.

Other sciency news …

Subject: How a Burner Identity Protects Your Inbox, Phone, and Cards
Source: NYT Wirecutter

Between vaccine appointment notifications, store pickups, online food ordering, and a general increase in online ordering, I feel like I’ve created three times as many online accounts in the past 18 months than I did in all previous years combined. Handing out any sort of personal information, whether it’s an email address or a phone number, can lead to spam, data breaches, or harassment. More abstractly, it can also enable tracking by data brokers—companies that take identifiable bits of data, including phone numbers, email addresses, and device-specific identifiers (such as a browser fingerprint or device ID that’s linked to a phone or computer) and then aggregate that data into a marketing profile. One way to protect your personal details from both individuals and corporations is to use alternate details, which you can generate through a number of tools. These “burner” identity tools create disposable email addresses, credit card numbers, and phone numbers, all of which can help protect your main accounts while you do just about anything online….

More stories:

Subject: CISA Begins Cataloging Bad Practices that Increase Cyber Risk
Source: CISA

In a blog post by Executive Assistant Director (EAD) Eric Goldstein, CISA announced the creation of a catalog to document bad cybersecurity practices that are exceptionally risky for any organization and especially dangerous for those supporting designated Critical Infrastructure or National Critical Functions.While extensive guidance on cybersecurity “best practices” exists, additional perspective is needed. Ending the most egregious risks requires organizations to make a concerted effort to stop bad practices.

CISA encourages cybersecurity leaders and professionals to review EAD Goldstein’s blog post and the new Bad Practices webpage and to monitor the webpage for updates. CISA also encourages all organizations to engage in the necessary actions and critical conversations to address bad practices.

Subject: VA watchdog warns of security risks from undocumented PIV cards
Source: FCW

The Veterans Health Administration (VHA) is at increased risk of security breaches because it’s not following requirements about documenting personal identity verification cards returned by contract personnel, according to a new inspector general report.According to the report, a review of 46 professional service and health care resource contracts by the Veterans Affairs Office of Inspector General found that not one had the proper documentation to prove the contractors’ personnel had returned their access cards. The IG report published on Tuesday warned that “even if subsequently detected, it could be too late to stop harm in the facility or the misuse or distribution of veterans’ personal information.”

Subject: Supreme Court sides with credit agency
Source: Risks Digest via WaPo – Sun, 27 Jun 2021 05:31:19 +0800

Washington Pos –‘“TransUnion generated credit reports that erroneously flagged many law-abiding people as potential terrorists and drug traffickers,” wrote Thomas. Yet, “the majority decides that TransUnion’s actions are so insignificant that the Constitution prohibits consumers from vindicating their rights in federal court. The Constitution does no such thing.”’

TransUnion, and other financial service entities, can (and routinely) test if your name matches one on the list maintained by Treasury Departments Office of Foreign Assets Control (OFAC). Probably part of their KYC (know your customer) processes.

Subject: Google Is Adding Support for Digital Covid-19 Vax Cards into Android
Source: Gizmodo

Google says users will be able to store digital covid info on their Android devices and be able to access them quickly using a shortcut on their home screen—even if your device doesn’t have an internet connection. The only major requirement is that your device is running Android 5 or later and be Play Protect certified. Google even made a specific point to call out that users will not need to have Google Pay installed to access covid cards either.

Healthcare providers will be able to send out digital covid cards to patients directly via text or email or host it themselves on a website, but any covid-related info will not be retained by Google, stored in the cloud, or visible to third-party advertisers. Google says covid cards will only be stored locally on your device, though that does mean if you want to save your covid card on multiple devices, you will need to redownload it separately on each device.

Posted in: AI, Big Data, Computer Security, Congress, Courts & Technology, Cybercrime, Cybersecurity, Email Security, Healthcare, KM, Legal Research, Legislative, Privacy, Search Engines