Pete Recommends – Weekly highlights on cyber security issues, October 2, 2021

Subject: Apple’s App Tracking Transparency Feature Doesn’t Stop Tracking
Source: Gizmodo

Research shows shady app developers are still grabbing your data without your permission, and Apple hasn’t stopped them.

The App Tracking Transparency (ATT) settings that came bundled in an iOS 14 update gave iPhone users everywhere the power to tell their favorite apps (and Facebook) to knock off the whole tracking thing. Saying no, Apple promised, would stop these apps from tracking you as you browse the web, and through other apps on your phone. Well, it turns out that wasn’t quite the case. The Washington Post was first to report on a research study that put Apple’s ATT feature to the test, and found the setting… pretty much useless. As the researchers put it:

Some Apple critics in the marketing world have been raising red flags for months about potential antitrust issues with Apple’s ATT rollout, and it’s not hard to see why. It gave Apple exclusive access to a particularly powerful piece of intel on all of its customers, the IDFA, while leaving competing tech firms scrambling for whatever scraps of data they can find. If all of those scraps become Apple’s sole property, too, that’s practically begging for even more antitrust scrutiny to be thrown its way. What Apple seems to be doing here is what any of us would likely do in its situation: picking its battles.

Subject: CISA and NSA Release Guidance on Selecting and Hardening VPNs
Source: CISA and NSA

The National Security Agency (NSA) and CISA have released the cybersecurity information sheet Selecting and Hardening Standards-based Remote Access VPN Solutions to address the potential security risks associated with using Virtual Private Networks (VPNs). Remote-access VPN servers allow off-site users to tunnel into protected networks, making these entry points vulnerable to exploitation by malicious cyber actors. Exploitation of these devices can enable…

Subject: Our Favorite Ad Blockers and Browser Extensions to Protect Privacy
Source: Wirecutter via beSpacific

Wirecutter: “Everything you do online—from browsing to shopping to using social networks—is tracked, typically as behavioral or advertising data. But browser extensions are simple, generally free add-ons that you can use to slow down or break this type of data collection, without completely ruining your experience of using the internet. Privacy almost always comes at the cost of usability. Sometimes a browser extension might cause a website to display text strangely, prevent embedded images or tweets from loading on a page, or remove the little social media buttons that make it easy to share an article. But in exchange for the occasional slight headache, companies will have a harder time tracking what you do online. Not all browsers offer the exact same extensions, but Google Chrome and Mozilla Firefox are the two most popular browsers, and the ones I focus on here. (Most Chrome extensions will also work with Microsoft Edge, Brave, Opera, and Vivaldi, though we haven’t fully tested them.) Of the two, I recommend Firefox if you prioritize privacy, as it’s much more focused on privacy out of the box compared with Chrome. Regardless of which browser you use, a pack of extensions can increase your privacy by decreasing your exposure to trackers, as well as have the welcome side effect of boosting your security. I’ve included links for both Chrome and Firefox, along with alternatives to our favorites, if they exist. As for other browsers, Apple’s Safari isn’t bad when it comes to privacy, but it lacks wide support for popular browser extensions. Edge is based on Chromium and will work with the bulk of the Chrome extensions in this article, we haven’t tested it thoroughly. Brave is one of the more popular privacy-first browsers, but even it isn’t free of privacy-related controversies. The Tor Browser is the go-to for anonymity, especially in censored countries, but it’s unusable for most people as a daily browser. Dozens of other lower-profile browsers exist, but few get the security updates and support that most of us need in the software we use all day..”

Subject: FCC Working on Rule for Wireless Carriers to Avert SIM Swap Fraud
Source: Nextgov

More than a year after lawmakers requested such action to protect consumer data and national security, the commission’s move could help to stop hackers undermining multifactor authentication.

The Federal Communications Commission unanimously agreed to embark on a rulemaking that would require mobile network companies to verify the identity of consumers requesting changes to their accounts—an effort to stem subscriber-identity-module—or SIM—card fraud.

During a commission meeting Thursday, acting FCC Chairwoman Jessica Rosenworcel explained how the hack undermines multifactor authentication, a bedrock element of basic cybersecurity hygiene that has become even more important in the wake of major recent breaches involving credential theft.

“If a cyber criminal or foreign government uses a SIM swap to hack into the email account of a local public safety official, they could then leverage that access to issue alerts using the federal alert and warning system operated by the Federal Emergency Management System,” reads the letter led by Sen. Ron Wyden, D-Ore. “Countless other government websites used by millions of Americans either allow password resets via email or support two-factor authentication via SMS, which can both be exploited by hackers using SIM swaps.”

According to the FCC, the commission proposes amending the Customer Proprietary Network Information and Local Number Portability rules to require carriers’ secure authentication of a customer before changing their number to a new device and to immediately notify customers whenever a SIM change is requested on their accounts.

[What happens when you buy a new phone and move your move your “old” phone’s telephone # and a new (e-)sim is assigned? (assuming you have the old phone’s accounts’ info) /pmw1]

Subject: New Chrome feature can tell sites and webapps when you’re idle
Source: Tech Republic

“The new Idle Detection API gives Chrome the ability to register whether a user is active, and has drawn concerns from privacy advocates. Here’s how to disable it…”

Subject: Bye Google: 7 privacy-first search engines everyone should try
Source: Fast Company

“Even if you have nothing to hide, searching the web with Google can sometimes feel unnerving. Maybe you’ve got a medical question or financial concern that you’d rather keep to yourself, or you want to research a product that won’t later become fodder for targeted ads. In all those cases, it’s nice to search the web without having a tech giant logging your every move That’s why I’m a big proponent of spending some quality time with private alternatives, ones that don’t keep a record of your search history. Set a search engine like DuckDuckGo as your default, and you end up missing Google less than you’d anticipated. And if not, you can always go crawling back. Below are some of the best ones to check out. While they each have their pros and cons, they all promise not to keep a personal record of your search history…”

Subject: SEC, DICT ink agreement for cybercrime prevention programs
Source: MSN

THE Securities and Exchange Commission (SEC) has signed an agreement with the Department of Information and Communications Technology (DICT) for cybercrime prevention initiatives. The memorandum of agreement (MoA) between the SEC and DICT’s Cybercrime Investigation and Coordinating Center (CICC) is in line with the country’s Republic Act No. 10175 or the Cybercrime Prevention Act. “Through this MoA, the commission can enhance our ability to adapt to more complex tools employed in fraudulent investment schemes so that we can implement adequate and preventive measures to avoid grave and irreparable damage to the investing public and employ the necessary detection procedures to ensure the capture of bad actors,” SEC Chairperson Emilio B. Aquino was quoted as saying.

Subject: Troll farms reached 140 million Americans a month on Facebook before 2020 election, internal report shows
Source: MIT Technology Review

In the run-up to the 2020 election, the most highly contested in US history, Facebook’s most popular pages for Christian and Black American content were being run by Eastern European troll farms. These pages were part of a larger network that collectively reached nearly half of all Americans, according to an internal company report, and achieved that reach not through user choice but primarily as a result of Facebook’s own platform design and engagement-hungry algorithm.

The company’s AI algorithms gave it an insatiable habit for lies and hate speech. Now the man who built them can’t fix the problem.

The report, written in October 2019 and obtained by MIT Technology Review from a former Facebook employee not involved in researching it, found that after the 2016 election, Facebook failed to prioritize fundamental changes to how its platform promotes and distributes information. The company instead pursued a whack-a-mole strategy that involved monitoring and quashing the activity of bad actors when they engaged in political discourse, and adding some guardrails that prevented “the worst of the worst.”…

Posted in: AI, Business Research, KM, Privacy, Search Engines, Search Strategies, Social Media