Pete Recommends – Weekly highlights on cyber security issues, October 31, 2021

Subject: FTC: ISPs collect and monetize far more user data than you’d think
Source: BleepingComputer

The Federal Trade Commission (FTC) found that the six largest internet service providers (ISPs) in the U.S. collect and share customers’ personal data without providing them with info on how it’s used or meaningful ways to control this process. “Many internet service providers (ISPs) collect and share far more data about their customers than many consumers may expect—including access to all of their Internet traffic and real-time location data—while failing to offer consumers meaningful choices about how this data can be used,” the FTC said.

This was found as part of a study, started in 2019, into the privacy practices of U.S. broadband companies and related entities and how they collect, retain, use, and disclose info about consumers and their devices.

The six broadband providers included in FTC’s report are AT&T Mobility, Cellco Partnership (aka Verizon Wireless), Charter Communications Operating, Comcast (aka Xfinity), T-Mobile U.S., and Google Fiber.

The FTC also included in the study three advertising entities affiliated with these companies: AT&T’s Appnexus rebranded as Xandr, Verizon’s Verizon Online, and Oath Americas rebranded as Verizon Media.

Former FCC Chair Ajit Pai blamed for current state of things.

U.S. Senator Ron Wyden said in a statement following FTC’s report that Ajit Pai, the former head of the FCC, is likely the one who made it possible for tech firms to disregard their users’ privacy by harvesting and using their data for business purposes.

“If Congress needed any more proof that America desperately needs a consumer privacy law, the Federal Trade Commission’s report about internet service providers’ rampant abuse of their customers’ private, personal browsing information should be enough to get Washington to act,” Wyden said.

“Whether it’s advertisers, tech companies or Big Cable, corporate America is showing absolute contempt for the idea that consumers can control personal details about their lives. Democrats have introduced multiple comprehensive privacy bills that would crack down on this flagrant abuse.


Subject: Millions Of Patient Health Records Now At Risk Through Unregulated API’s
Source: Forbes

Over the course of about a year, a single ethical hacker was able to access millions of patient health records and expose systemic risks in software that are effectively outside the legal jurisdiction of the Health Information Portability and Accountability Act of 1996 (HIPAA).API’s are considered infrastructure (not application) software because they typically work below the application presentation layer as a way to bridge data requests between different (often competing) software applications. The end-user (or consumer) would see the result of an API request in a front-facing application, but not the API itself.

“Of the five FHIR API implementations I tested in phase two of my research, three contained pervasive vulnerabilities that allowed me to access over four million patient and clinician records – often using a single login. The other two were built by Electronic Health Record (EHR) vendors and I found no vulnerabilities in either of them.” Alissa Knight — Ethical Hacker and Author of “Playing With FHIR”

The final takeaway is this. FHIR is a great standard for APIs in healthcare, but until there is industrial strength certification and binding regulations that assert real penalties, software developers are effectively rewarded for taking the path of least resistance to revenue and the exposure can be measured in the millions of health records. We can’t expect — nor should we — voluntary compliance to security with something as critical as personal health information.

“Criminals always go where the action is. As API’s continue to be the solution of choice for transformation efforts, the attackers will perfect their tradecraft to attack them and Gartner estimates that by 2022, API attacks will stand out as the most frequent attack method to compromise web applications. If peer reviews and red teaming are not on the top of your priority list now, read Alissa’s research and then reprioritize.” Theresa Payton — CEO Fortalice Solutions / Former White House CIO / Author of Manipulated

Subject: Securing your digital life, part one: The basics
Source: Ars Technica via beSpacific

Ars Technica – Sean Gallagher: “I spend most of my time these days investigating the uglier side of digital life—examining the techniques, tools, and practices of cyber criminals to help people better defend against them. It’s not entirely different from my days at Ars Technica, but it has given me a greater appreciation for just how hard it is for normal folks to stay “safe” digitally. Even those who consider themselves well educated about cyber crime and security threats—and who do everything they’ve been taught to do—can (and do!) still end up as victims. The truth is that, with enough time, resources, and skill, everything can be hacked. The key to protecting your digital life is to make it as expensive and impractical as possible for someone bent on mischief to steal the things most important to your safety, financial security, and privacy. If attackers find it too difficult or expensive to get your stuff, there’s a good chance they’ll simply move on to an easier target. For that reason, it’s important to assess the ways that vital information can be stolen or leaked—and understand the limits to protecting that information…”

Subject: The Identity Theft Resource Center’s Inaugural 2021 Business Aftermath Report Shows the Impacts Identity Crimes Have on Small Businesses
Source: The Identity Theft Resource Center

The ITRC’s 2021 Business Aftermath Report reveals that more than half of small businesses have suffered a data or security breach; one-third of companies have been breached at least three times

The findings include:

  • Fifty-eight (58) percent of small businesses have experienced a data breach, security breach or both. Of those businesses, three-fourths have experienced at least two breaches and one-third at least three breaches.
  • Forty-four (44) percent of small businesses spent between $250,000-$500,000 to cover the costs of the breach. Sixteen (16) percent of small businesses spent between $500,000-$1 million.
  • Thirty-six (36) percent of small businesses incurred debt to cover the breach costs, and 34 percent dipped into cash reserves.
  • Fifteen (15) percent reduced their headcount to cut expenses.
  • External threat actors were responsible for 40 percent of attacks. Malicious employees and contractors were responsible for 35 percent of the attacks.

Download the ITRC’s 2021 Business Aftermath Report

Subject: These phishing emails use QR codes to bypass defences and steal Microsoft 365 usernames and passwords
Source: ZDNet

Cyber criminals are looking for sneaky new ways to dupe victims into clicking links to phishing websites designed to look like authentic Microsoft login pages, accidentally handing over their credentials.

One recent campaign detailed by cybersecurity researchers at Abnormal Security sent hundreds of phishing emails that attempted to use QR codes designed to bypass email protections and steal login information. This is known as a “quishing” attack.

QR codes can be useful in attempts at malicious activity because standard email security protections like URL scanners won’t pick up any indication of a suspicious link or attachment in the message.

The campaign is run from previously compromised email accounts, allowing the attackers to send emails from accounts used by real people at real companies to add an aura of legitimacy to the emails, which could encourage victims to trust them. It’s not certain how the attackers initially gain control of the accounts they’re using to distribute the phishing emails.

While using QR codes method can more easily bypass email protections, the victim needs to follow many more steps before they reach the point where they could mistakenly give their login credentials to cyber criminals. For a start, the user needs to scan the QR code in the first place — and if they’re opening the email on a mobile, they’ll struggle to do this without a second phone.

Topic: Security

Subject: You can now remove pictures of minors from Google Search — here’s how
Source: Android Central

Any child, teen, parent, or guardian can request to have search results for image URLs removed — though there are exceptions.What you need to know:

  • Google has implemented a policy to “give young people more control over their digital footprint and where their images can be found on Search.”
  • You can remove any photo search result “with the exception of cases of compelling public interest or newsworthiness.”
  • This removal only affects Google Search, not the site where the photo is posted.

Google already allows adults to remove personal information as well, specifically related to personal info, doxxing, or sexually explicit content.

Finally, Google specified that sexually explicit photos of minors (aka child pornography) shouldn’t be reported through this form; you should contact the National Center for Missing and Exploited Children instead.

Subject: Security bug in ‘vaccine passport’ exposed records of New Jersey, Utah residents
Source: Becker’s Health IT

A security bug in the Docket app exposed COVID-19 vaccine records in Utah and New Jersey, TechCrunch reported Oct. 27.Six notes:

  1. The app, widely described as a vaccine passport, allows residents to pull vaccination records from their state’s health department and carry a digital copy of the record on their smartphone. App users are able to show their QR code to gain access to locations that require proof of vaccination against  COVID-19.
  2. A vulnerability in the app allowed anyone to access QR codes of vaccinated users and the personal information stored in the code, according to the report. An app user could change their user ID and request someone else’s QR code. Docket’s user IDs are in sequential order, so codes could be emulated by changing the ID number by a single digit, TechCrunch reported.
  3. Exposed data includes names, birth dates and COVID-19 vaccine-related information.


Posted in: Cybercrime, Cybersecurity, Email, Email Security, Privacy, Search Engines, Social Media