Pete Recommends – Weekly highlights on cyber security issues, September 18, 2021

Subject: Agencies may want to establish a national strategy for contact-tracing apps
Source: FedScoop

The absence of a national contact-tracing app led 26 states, territories and Washington, D.C. to seek out their own in a staggered fashion beginning in August 2020. Costs could reach as high as $700,000 and downloads range from 200,000 to 2 million from state to state.

“Policymakers could recommend a national app that public health authorities could decide to use based on their individual needs,” reads GAO‘s report. “A national app could add more functions by integrating exposure notification capabilities with test scheduling and vaccine delivery coordination.”

Current apps have a number of issues like the accuracy of their distance and exposure measurements, which can lead to inaccurate alerts.

A lack of independent privacy and security assessments, as well as federal legal protections, is a deterrent for potential users, and some states have struggled to encourage adoption.

There’s also the problem of a lack of data to evaluate how effective exposure notification apps actually are. The Department of Homeland Security Science and Technology Directorate‘s Silicon Valley Innovation Program currently has two projects developing app criteria, but they’re two years away from completion.

– In this Story –
Centers for Disease Control and Prevention, contact-tracing apps, Coronavirus, Department of Homeland Security (DHS), Department of Homeland Security Science and Technology Directorate, Government Accountability Office (GAO), National Institute of Standards and Technology (NIST), National Institutes of Health (NIH), Silicon Valley Innovation Program (SVIP)

Subject: ‘Breach of trust’: Police using QR check-in data to solve crimes
Source: The RISKS Digest Volume 32 Issue 87“John Colville” <[email protected]> Sun, 5 Sep 2021

The nation’s privacy watchdog has called for police forces to be banned from accessing information from QR code check-in applications, after law-enforcement agencies have sought to use the contact-tracing data on at least six occasions to solve unrelated crimes.

Subject: Walmart crypto news: Fake press release announced litecoin partnership
Source: USA Today

The release was sent out by GlobeNewswire at 9:30 a.m. ET but has since been removed. Litecoin tweeted the press release, which claimed Walmart would start accepting the digital currency starting Oct. 1 but then deleted the tweet. Several news outlets published reports based on the release before Walmart denied the release.

This isn’t the first time fake press releases got attention. In 2017, a fabricated news release circulated that claimed McDonald’s would submit an unsolicited bid to acquire fast-casual chain Chipotle Mexican Grill.

Subject: Apple’s Plan to Scan Your Phone Raises the Stakes on a Key Question: Can You Trust Big Tech?
Source: Nextgov

Apple’s plan to scan customers’ phones and other devices for images depicting child sexual abuse generated a backlash over privacy concerns, which led the company to announce a delay. Apple, Facebook, Google and other companies have long scanned customers’ images that are stored on the companies’ servers for this material. Scanning data on users’ devices is a significant change.

However well-intentioned, and whether or not Apple is willing and able to follow through on its promises to protect customers’ privacy, the company’s plan highlights the fact that people who buy iPhones are not masters of their own devices. In addition, Apple is using a complicated scanning system that is hard to audit. Thus, customers face a stark reality: If you use an iPhone, you have to trust Apple.

Specifically, customers are forced to trust Apple to only use this system as described, run the system securely over time, and put the interests of their users over the interests of other parties, including the most powerful governments on the planet.

Despite Apple’s so-far-unique plan, the problem of trust isn’t specific to Apple. Other large tech companies also have considerable control over customers’ devices and insight into their data.


Subject: Postal Service Law Enforcement Isn’t Fully Tracking Inspectors’ Use of Cryptocurrencies
Source: Nextgov

Investigators reported using cryptocurrencies in nine closed cases. Auditors found another 1,064 that might not have been properly recorded. The U.S. Postal Service’s law enforcement arm has been using—and confiscating—cryptocurrencies since 2017. But a lack of oversight, training and proper procedures have led to significant policy violations and could lead to serious fraud or waste if left unchecked.Postal inspectors need access to cryptocurrency in order to delve into the criminal underground, according to a recent review by the agency inspector general. However, these transactions must be tracked closely to prevent waste, fraud or abuse.

“The anonymity of cryptocurrency transactions and the significant fluctuations in the value of cryptocurrency create opportunities for abuse or theft when used during law enforcement activities,” the IG wrote.

To limit the risk of abuse, the agency developed an application to manage inspectors’ cryptocurrency wallets.


Subject: FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule
Source: Federal Trade Commission

Policy statement affirms that covered companies that hold fertility, heart health, glucose levels and other health data must notify consumers in the event of a breachThe Federal Trade Commission today issued a policy statement affirming that health apps and connected devices that collect or use consumers’ health information must comply with the Health Breach Notification Rule, which requires that they notify consumers and others when their health data is breached.

In a policy statement adopted during an open meeting, the Commission noted that health apps, which can track everything from glucose levels for those with diabetes to heart health to fertility to sleep, increasingly collect sensitive and personal data from consumers These apps have a responsibility to ensure they secure the data they collect, which includes preventing unauthorized access to such information.

… the FTC issued the Health Breach Notification Rule, which requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization. Over a decade later, health apps and other connected devices that collect personal health data are not only mainstream—and have increased in use during the pandemic—but are targets ripe for scammers and other cyber hacks. Yet, there are still too few privacy protections for these apps.


Subject: ACSC Releases Annual Cyber Threat Report
Source: ACSC via CISA

The Australian Cyber Security Centre (ACSC) has released its annual report on key cyber security threats and trends for the 2020–21 financial year. The report lists the exploitation of the pandemic environment, the disruption of essential services and critical infrastructure, ransomware, the rapid exploitation of security vulnerabilities, and the compromise of business email  as last year’s most significant threats. CISA encourages users and administrators to review ACSC’s Annual Cyber Threat Report July 2020 to June 2021 and CISA’s Stop Ransomware webpage for more information.

Subject: Americans have little trust in online security: AP-NORC pol
Source: AP

“Most Americans don’t believe their personal information is secure online and aren’t satisfied with the federal government’s efforts to protect it, according to a poll. The poll by The Associated Press-NORC Center for Public Affairs Research and MeriTalk shows that 64% of Americans say their social media activity is not very or not at all secure. About as many have the same security doubts about online information revealing their physical location. Half of Americans believe their private text conversations lack security. And they’re not just concerned. They want something done about it. Nearly three-quarters of Americans say they support establishing national standards for how companies can collect, process and share personal data. “What is surprising to me is that there is a great deal of support for more government action to protect data privacy,” said Jennifer Benz, deputy director of the AP-NORC Center. “And it’s bipartisan support.”…

Posted in: Big Data, Blockchain, Computer Security, Cybercrime, Cybersecurity, Data Mining, Gadgets/Gizmos, Healthcare, Legal Research, Privacy