Pete Recommends – Weekly highlights on cyber security issues, August 8, 2021

Subject: How to Defend Yourself Against NSO Spyware Like Pegasus
Source: The Intercept

Even iPhones were vulnerable to the surveillance software, which appears to have been used against activists, journalists, and others. An international group of journalists this month detailed extensive new evidence that spyware made by Israeli company NSO Group was used against activists, business executives, journalists, and lawyers around the world. Even Apple’s iPhone, frequently lauded for its tight security, was found to be “no match” for the surveillance software, leading Johns Hopkins cryptographer Matthew Green to fret that the NSO revelations had led some hacking experts to descend into a posture of “security nihilism.”

Subject: Social Security ‘Overwhelmed’ by Mail, Infuriating Customers Seeking Documents
Source: Nextgov

With most employees teleworking during the pandemic, the watchdog faulted the agency for not having a system to track and return customers’ identification documents. The Social Security Administration is struggling with a backlog of thousands of unprocessed eligibility documents and half of field offices report being “overwhelmed” by mail as a result of the agency’s inability to adequately manage mail processing during the pandemic, the agency’s inspector general reported last week.

Since the start of the COVID-19 pandemic, most Social Security offices have been in a maximum telework stance, but some managers have had to report to their offices to handle mail duties. Lawmakers have repeatedly highlighted complaints from constituents about the need to mail original copies of sensitive documents, including drivers licenses and birth certificates, to the agency as a result of the office closures.

According to the report, the issues around handling the mail have led to a backlog of thousands of customers’ original documents and thousands of unprocessed applications for Social Security cards.

At the root of these issues is the fact that the Social Security Administration has no way to measure the flow of mail at its offices and adjust staffing levels to cope with it, the inspector general wrote.


Subject: Home Depot Testing Pilot Program for Bluetooth-Activated Tools
Source: Gizmodo

In a bid to crack down on organized retail crime, Home Depot is piloting a program where power tools must be activated via Bluetooth at checkout—or they won’t work. It’s a clever solution to deter theft, but it also highlights how technology can sometimes change gadget ownership in unintended ways.Apparently, power tools are an attractive and lucrative target for retail shoplifters. Earlier this year, a Florida man stole more than $17,000 worth of power tools from various Home Depot stores in the state. A MarketWatch report notes that the Bluetooth tech is on the device itself, not the packaging, so even if a thief was successful in filching the tool, it wouldn’t turn on. Home Depot is also working with other partners on the program and may extend it to other items like smart home gadgets. Business Insider reports that Home Depot has already tested this tech in a few stores, and will now be rolling it out more widely with the aim of eventually introducing it to every Home Depot in the U.S.

More worryingly, it also raises the question of what happens if and when a legitimate customer decides to resell a power tool? Does that then mean you have to transfer registration or risk bricking your device?

Right now, there are a lot of unanswered questions should this pilot program turn out to be successful. For instance, does this only apply to tools bought in brick-and-mortar shops, or does it also affect tools bought online? If so, does that mean you have to go out of your way to go to a Home Depot to activate something you bought online?

Subject: Researchers Say They’ve Found a ‘Master Face’ to Bypass Face Rec Tech
Source: Gizmodo

A group of researchers says that artificial intelligence can be used to trick most biometric face scanners. In addition to helping police arrest the wrong person or monitor how often you visit the Gap, facial recognition is increasingly used by companies as a routine security procedure: it’s a way to unlock your phone or log into social media, for example. This practice comes with an exchange of privacy for the promise of comfort and security but, according to a recent study, that promise is basically bullshit.

Indeed, computer scientists at Tel Aviv University in Israel say they have discovered a way to bypass a large percentage of facial recognition systems by basically faking your face. The team calls this method the “master face” (like a “master key,” harhar), which uses artificial intelligence technologies to create a facial template—one that can consistently juke and unlock identity verification systems.

Subject: NIST revises flagship cyber resiliency guidance
Source: FedScoop

The National Institute of Standards and Technology released the first-ever revision to its flagship cyber resiliency guidance with updated controls and a single threat taxonomy Thursday.NIST updated Special Publication (SP) 800-160 Vol. 2 to align cyber resilience controls with SP 800-53 Rev. 5 security and privacy controls for agencies’ and industry’s IT systems, as well as map it to MITRE’s ATT&CK threat framework.

A product of the NIST Systems Security Engineering initiative, the guidance reflects the latest cyber resiliency implementation approaches for engineers to address known hacker tactics laid out in the ATT&CK framework.

“The goal of the NIST Systems Security Engineering initiative is to address security, safety and resiliency issues from the perspective of stakeholder requirements and protection needs, using established engineering processes to ensure that those requirements and needs are addressed across the entire system life cycle to develop more trustworthy systems,” reads the revised guidance.

– In this Story – ATT&CK threat framework, cyber-resilience, National Institute of Standards and Technology (NIST)

Subject: 7 Foundations of OSINT

Open-source intelligence is a fascinating discipline with many intricate moving pieces. I have strived to learn all that I can. As I have done that I realized that part of what makes OSINT difficult to teach and learn is that it is made up of many individually complex topics which one could devote an entire career to.Understanding a broad discipline like OSINT can be difficult and taken as a whole learning it can be quite daunting. However, I have always found with challenging or complex topics the easiest thing to do is break them up into smaller parts. To that end, I wanted to create a list of the core skills that form the basis of OSINT and how you continue to hone them at both the beginner and advanced levels. A note: this list is not meant to be exhaustive or for that matter comprehensive. You will likely have skills that help you OSINT that maybe I do not have, and depending on your exact focus some of these may be more important than others. Many of the skills take years of dedication and learning to master. Entire books could be written (and have been) on each topic alone! This is intended as a resource to introduce you to fundamental skills and help you start learning them or if already along your learning journey to help you continue to learn.

Subject: Department of Labor Focuses on Cybersecurity for Benefit Plans
Source: The National Law Reviews

ERISA-covered plans hold millions of dollars or more in assets and maintain a large amount of personal data on participants, therefore, such plans can be tempting targets for cyber-criminals. Recognizing this, the Employee Benefits Security Administration (EBSA) of the U.S. Department of Labor issued its first-ever cybersecurity guidance concerning employee benefit plans this spring. Further, in June 2021, just two months after issuing the guidance, government investigators began seeking information from plan sponsors about cybersecurity policies and procedures. While such requests thus far have been limited to ongoing audits, plan sponsors and fiduciaries would be wise to review EBSA’s guidance and implement its suggestions as appropriate. The EBSA guidance, which is directed to plan sponsors and fiduciaries as well as recordkeepers and plan participants, is set forth in three separate publications.

Subject: Ransomware poses threat to vulnerable local governments
Source: Washington Post

Ransomware is the invisible threat that’s sweeping the nation. President Biden publicly committed aggressive action on cybersecurity and defending American infrastructure. Recent high-profile attacks left people panic-buying gas along the East Coast and debilitated hundreds of institutions around the globe. But underneath the big attacks, in the metropolitan area surrounding the nation’s capital where security is a top priority, local government agencies such as school districts, city halls and police departments are among the most vulnerable to ransomware attacks, experts say.

In April, D.C.’s police suffered an attack, with a group posting purported department data after making demands for money. In the fall, Baltimore County Public Schools and Fairfax County Public Schools faced similar attacks, causing online classes in Baltimore County to briefly stop. And the Hampton Roads Sanitation District and Bristol Police Department in Virginia became victims last fall and winter.

Posted in: AI, Cybercrime, Cybersecurity, KM, Legal Research, Social Media, Telecommuting