Pete Recommends – Weekly highlights on cyber security issues, October 24, 2021

Subject: Warranty Repairs and Non-Removable Storage Risks
Source: InfoSec Handlers Diary Blog

I have been asked several times in recent months about addressing risks of warranty repair service of laptops/tablets.  With each of these situations, the question boiled down to the same underlying issue: non-removable storage.  “It depends” has been my standard response, as there are many key factors to accurately framing the response.  Organizational policies which defines their risk appetite and/or external regulations typically characterize what can be done.The organization’s policies and general risk appetite are the first place to look for guidance. Media sanitization policies may reference how to handle a situation where a device begins to fail.
One of the people who asked this question works within a small financial services/tax preparation organization.One of the people who asked this question works within a small financial services/tax preparation organization.  About 10 years ago, the organization had invested in one of the big four audit firms to review their operations which resulted in several policies being written and procedure changes.  One of these policies stated that “hard drives, thumb drives, and other forms of digital media must be removed and destroyed prior to desktop or laptops leaving the organization.”  This made perfect sense at the time due to how much sensitive PII was being processed each year and the types of issues were being reported in the mass media at the time.  That organization framed their policy around the idea that drives would be removed from desktops and laptops at the end of their useful life span as they had no risk appetite for showing up in the news.  But, that policy had not been updated to fit the changing world in the past decade, or really consider what to do with warranty services.

Subject: Cracking Cold Cases: Police Using Podcasts to Track Down Killers
Source: Route Fifty

Police officials say that department-sponsored podcasts—free, easy to download and available on demand—are perfect for disseminating information. (America’s true-crime obsession doesn’t hurt.)
On Aug. 4, 2019, Peter Chadwick, a real estate magnate who fled the country in 2015 after being charged with his wife’s murder, was apprehended in Mexico. At a press conference two days later, Newport Beach Chief Jon Lewis credited an unusual source for helping with the investigation: the true-crime podcast “Countdown to Capture,” launched by his California police department a year earlier.
“What this podcast did was increase awareness and generate leads for us. It also kept this case in the forefront of people’s minds,” Lewis said. “It’s our belief that we put pressure on Peter, which is something that we wanted to do as well, and that was the reason we chose to use this vehicle.”Jennifer Manzella, creator and host of the podcast as well as the department’s spokeswoman at the time, was skeptical. The podcast—a largely one-woman project, recorded and produced in Manzella’s bedroom closet—had been an instant hit, notching 400,000 plays and charting in multiple countries shortly after its release, eventually peaking at the 24th-place ranking across all genres in iTunes….

“Countdown to Capture,” released in September 2018, is believed to be the first true-crime podcast produced entirely by a police department. It’s a new take on a popular genre, where a podcast host tells the detailed story of a criminal case in chronological fashion, either one episode at a time or all at once.

Before 2018, true-crime podcasts were hosted mostly by investigative journalists, comedians and other media personalities. But in the wake of “Countdown to Capture,” other law enforcement agencies have embraced the medium. There’s “Break in the Case” from the New York City Police Department and “Silicon Valley Beat” from the Mountain View (California) Police Department. Last year, the Winchester Police Department in northern Virginia detailed one of its cold cases in a podcast titled “Defrost.”


Subject: How Facebook News Feed Works: Study
Source: Gizmodo

Only Facebook knows the secret sauce underlying its News Feed’s ranking algorithm—but new research may explain the source of the problems.At a time when American’s trust in the news media is plummeting to record lows, one recent Pew poll reported that about a third of U.S. adults say they regularly get their news fix from Facebook’s feeds—even if their own trust in Facebook itself is plummeting to new lows for, oh, whatever reason. Needless to say, the News Feed is a hugely consequential space that carries enormous sway in the lives of countless people scrolling through it every day.

Writing about the News Feed algorithm in 2016, the Atlantic compared its influence on the media to a traditional news mogul like Rupert Murdoch. But while Murdoch’s agenda is pretty easy to spot, an algorithm is, well, an algorithm—save for a few vaguely worded blog posts over the years, the company keeps a pretty tight lid on the system’s specifics.

If you ask critics—including a mounting number of ex-Facebook employees—about the algorithm’s agenda, however, one word keeps bubbling up again and again: engagement. As Facebook whistleblower Frances Haugen succinctly put it in a recent 60 Minutes interview, the company is constantly “optimizing for content that gets engagement, or reaction,” out of its users. Usually, this criticism of engagement is linked to content that’s polarizing, hateful, and divisive.

Subject: Sharpening the focus for smartphone-based evidence
Source: GCN

The amount of digital exhaust the average American produces is increasing exponentially. For criminal investigators, having to sift through personal data from smartphones, fitness trackers, laptops, home security systems and municipal security cameras for relevant text, images, video, social media and location data can be overwhelming, especially following a mass incident involving many victims and witnesses.“Today, it could be 500 terabytes in an incident with thousands of people using smart phones, security cameras in the areas,” said Umit Karabiyik, an assistant professor in computer and information technology in the Purdue Polytechnic Institute at Purdue University. “It’s like trying to find a needle in a needle stack rather than a hay stack,” he told Purdue News. “Which needles are you interested in? Which one specific item is the piece of data you need?”

The researchers developed a smartphone app that helps victim or witness bookmark potentially relevant data on their phones and displays a consent form — which must be signed by both the investigator and the phone’s owner — before data is downloaded. Nothing is shared with law enforcement unless specific consent is given on specific data from the person via the app, Karabiyik said.

Subject: 5 Ways to Keep Vaccine ‘Cold Chain’ Safe from Hackers
Source: Nextgov

Health systems can prevent outsiders from tampering with the equipment that keeps vaccines ultra cold. Health systems can prevent the hacking of electronics in the “cold chain” that keeps items like COVID-19 vaccines ultra-cold during storage and transport, say researchers.

A major health system commissioned the study, which finds that an attacker located near equipment like freezers and coolers could use electromagnetic interference generated by simple devices like walkie-talkies to fool temperature sensors into giving false readings.

The interference could cause a cooler’s temperature monitor to falsely indicate that the vaccine inside has become too warm to use, or it could cause a freezer to malfunction and spoil its contents.

The good news is there are simple steps that hospitals and health systems can take to protect themselves. Kevin Fu, then associate professor of electrical engineering and computer science at the University of Michigan, led the study. Fu later joined the FDA as acting director of medical device cybersecurity. He recommends the following five steps:


Subject: Can Facebook’s Smart Glasses Be Smart about Security and Privacy?
Source: Nextgov

How can someone know if the wearer is looking at you or looking at personal information about you?Facebook’s smart glasses ambitions are in the news again. The company has launched a worldwide project dubbed Ego4D to research new uses for smart glasses.

In September, Facebook unveiled its Ray-Ban Stories glasses, which have two cameras and three microphones built in. The glasses capture audio and video so wearers can record their experiences and interactions.

The research project aims to add augmented reality features to smart glasses using artificial intelligence technologies that could provide wearers with a wealth of information, including the ability to get answers to questions like “Where did I leave my keys?” Facebook’s vision also includes a future where the glasses can “know who’s saying what when and who’s paying attention to whom.”

Several other technology companies like Google, Microsoft, Snap, Vuzix and Lenovo have also been experimenting with versions of augmented or mixed reality glasses. Augmented reality glasses can display useful information within the lenses, providing an electronically enhanced view of the world. For example, smart glasses could draw a line over the road to show you the next turn or let you see a restaurant’s Yelp rating as you look at its sign.

As a researcher who studies computer security and privacy, I believe it’s important for technology companies to proceed with caution and consider the security and privacy risks of augmented reality.


Subject: Investigating Cybercrime and the Dark Web
Source: Global Investigative Journalism Networks

Cybercrime is any criminal activity perpetrated in a digital realm. While we often think of cybercrime as defined by “hacking,” which in this context refers to unauthorized entry into a digital environment, there are many other types of crimes, including physical crimes, that extend into this world.Everything from trafficking in child pornography, to a bank insider changing a customer’s ATM information and withdrawing illicit funds, to the theft of source code, falls into the category of “cyber” crimes. Cybercrime, when perpetrated successfully, often reveals the exploitation of legal privacy violations – for instance, when a company has improperly encrypted personal information and that data is stolen, this would constitute a violation of consumer privacy by the company, and a cybercrime by the individuals who stole the data.

Financial losses because of cybercrime are simultaneously astronomical and very difficult to predict or calculate. Billionaire investor Warren Buffett has, in the past, commented that he pushes his businesses to avoid the cyber insurance market because there is not enough data to predict how much money could be lost. This hard-to-define risk contrasts sharply with our understanding of other types of monetary losses from natural disasters, like hurricanes or floods, or other criminal activity, like bank robberies or physical sabotage. Rough estimates from various sources — including McAfee, Cybersecurity Ventures, the SANS Institute, and the FBI — point to damages from cybercrime to government and business in the trillions of dollars.

Posted in: Business Research, Competitive Intelligence, Court Resources, Cybercrime, Cybersecurity, Healthcare, Legal Research, Privacy, Technology Trends