Pete Recommends – Weekly highlights on cyber security issues, November 14, 2021

Subject: Report: 51% of IT leaders don’t think they could mitigate a data breach
Source: VentureBeat

A recent study from Syntax reveals that 51% of IT leaders reported they would be unable to successfully mitigate a data breach or ransomware attack. Overall, the report shows that leaders tend to overinflate their actual innovation capabilities. While many executives ranked themselves on the “leading edge,” also known as the top 5% of businesses when it comes to innovation, their actual capabilities reflect a different picture….

Read the full report by Syntax. [reg. req’d.]

Subject: November 2021 Patch Tuesday forecast: More mandates in the United States
Source: Help Net Security

The President signed an Executive Order back in May to provide more focus on protecting federal government networks. Highlights included sharing threat information between government and private sectors, improving detection and response to security incidents, and improving remediation capabilities to known vulnerabilities.

The Wall Street Journal reported CISA was releasing a directive that would require most government agencies to address “200 known security flaws identified by cybersecurity professionals between 2017 and 2020 and an additional 90 discovered in 2021 alone that have generally been observed being used by malicious hackers” in the next two weeks. Two weeks is a quick turnaround, but hopefully most of these vulnerabilities have been remediated already via regular patching or other mitigations.

In light of the recent supply chain attacks, ongoing ransomware incidents, and continual phishing activity, this mandate should raise the bar on system security.

More about

Subject: Digital driver’s licenses: Are they secure enough for us to trust?
Source: TechRepublic

States should use a privacy by design approach instead of creating a new system to track purchases and other activities, according to security experts.

Several states are moving forward with digital driver’s licenses. Drivers in Arizona and Georgia will soon be able to use iPhones and Apple Watches as digital licenses or ID cards. People living in Kentucky, Maryland, Oklahoma, Iowa, Utah, and Connecticut are next in line for this transition.

The ACLU sees a significant risk for the potential of misuse of digital licenses:

“This raises the danger that a relatively small cadre of corporations and specialized government bureaucracies will build a new infrastructure for their own economic and administrative purposes, regardless of the larger implications. It raises the danger that there will be no balanced assessment of the costs and benefits of such a system and that we will adopt systems that do not strike the right balance between the needs for identification, security and convenience and Americans’ well-founded aversion to government and corporate surveillance and regimentation.”

Security risks of mobile driver’s licenses  As states move to implement digital identity platforms, bad actors will look for new opportunities to steal data while also using standard social engineering and other common attack methods. Rudis of Rapid7 sees these potential mDL threat scenarios:

  • An increased surface area for attackers due to connecting the mDL issuer infrastructure to the internet
  • Potential bugs and vulnerabilities in the wallet app
  • Information overreach during transactions

Rudis sees mDLs as worthwhile overall, despite these potential security risks and said that the mobile driver’s license standard has been worked on for many years and a number of states have already implemented their own versions of the mDL wallet and reader apps.

These systems conform to the ISO/IEC FDIS 18013-5:2021 standard, which covers encryption on-device, encryption in-transit, authentication for unlocking the mDL data and configuration rules for mobile devices and servers.


Subject: Businesses don’t know how to manage VPN security properly – and cyber criminals are taking advantage
Source: ZDNet

Remote working has resulted in a rise in the use of corporate VPNs. But inexperience means many businesses aren’t equipped to look for and patch security vulnerabilities being exploited by malicious hackers.

The Covid-19 pandemic forced many businesses to suddenly move to higher levels of remote working than before, with many organisations dealing with it for the first time.

While this was necessary to keep businesses operating, the sudden rise in remote working also provided benefits for cyber criminals, who looked to take advantage of it to carry out attacks against public-facing VPN and cloud services in order to breach networks.
Many organisations still aren’t taking the action required to fully protect their networks from these attacks, say researchers.

In a presentation at Black Hat Europe, Vanautgaerden detailed how VPN vulnerabilities were being exploited by numerous cyber criminal groups.

Topic: Security

Subject: Rittenhouse’s Lawyers Argue Apple Alters Image With Zoom Feature
Source: Gizmodo

The lawyer argued Apple uses AI in its pinch-to-zoom feature to create “what it thinks is there, not what necessarily is there.”Are digital images a manufactured construct? Does the act of zooming fundamentally alter a files’ essence? Those are some of the unexpected, and at times inelegant, questions posed this week by the layers of 18-year-old Kyle Rittenhouse, who is on trial for shooting and killing two people and injuring another at a protest in Kenosha Wisconsin last year.

During the trial, first reported by The Verge, one of Rittenhouse’s lawyers named Mark Richards objected when the prosecution attempted to use an iPad’s pinch-to-zoom feature while showing a video depicting Rittenhouse shooting one of the victims. Richards claimed Apple’s use of “artificial intelligence” in its zooming process would distort the original version by “creating what it thinks is there, not what necessarily is there.”

The prosecution meanwhile responded by noting zooming in on images and videos are a common practice and something jurors would intuitively understand and said the practices didn’t damage the “integrity” of the image, notes The New York Times.

Though some states including Californian, Virginia, and Texas, have criminalized the modification of images using machine learning algorithms related to revenge porn and politics, legal precedents surrounding the general concept are still relatively nascent.


Subject: Costco discloses data breach after finding credit card skimmer
Source: Bleeping Computer

Skimmer device planted at Costco warehouse.

Costco discovered the breach after finding a payment card skimming device in one of its warehouses during a routine check conducted by Costco personnel.

The company removed the device, notified the authorities, and is now working with law enforcement agents who are investigating the incident.

“We recently discovered a payment card skimming device at a Costco warehouse you recently visited,” Costco told potentially impacted customers in breach notification letters.

“Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating.”

While the company didn’t reveal the exact timeline of the incident, Costco customers have complained about unauthorized transactions [123] on their payment cards since at least February.

Subject: US Education Dept urged to boost K-12 schools’ ransomware defenses
Source: Bleeping Computer

The US Department of Education and Department of Homeland Security (DHS) were urged this week to more aggressively strengthen cybersecurity protections at K-12 schools across the nation to keep up with a massive wave of attacks.

The call for action comes from US Senators Maggie Hassan (D-NH), Kyrsten Sinema (D-AZ), Jacky Rosen (D-NV), and Chris Van Hollen (D-MD).

It was prompted by a Government Accountability Office (GAO) report released on Friday, assessing the Education Dept’s current plan for addressing K-12 school threats — issued in 2010 — to be significantly outdated and primarily focused on mitigating physical threats.

“K-12 schools are increasingly coming under cyberattacks from a diverse set of actors, driven largely by the rapid rise of ransomware,” the four US Senators said.

“According to a database of publicly reported cybersecurity incidents at K-12 schools, 2019 saw almost three times more incidents than 2018 and 2020 saw a further 18 percent increase over 2019. These incidents include ransomware attacks on school districts in New Hampshire, Nevada, Arizona, and Maryland.”

For context on the impact of ransomware on US education institutions throughout 2021, ransomware attacks have disrupted education at roughly 1,000 universities, colleges, and schools since the start of the year, according to Emsisoft threat analyst Brett Callow.

While this number is lower than in 2020 (when 1,681 education institutions were hit), it’s mostly because ransomware attacks have hit smaller school districts this year.

Subject: Allow App To Track On Your iPhone—Here’s What It Means
Source: Forbes

By now, your iPhone has probably started to pop up with notifications asking, “allow [app] to track your activity across other companies’ apps and websites?” So, what does this mean? The notifications are part of a major new iPhone privacy feature called App Tracking Transparency (ATT), which was brought in by Apple in April this year with its operating system update iOS 14.5. The new iPhone feature has been around for a while now, but it’s become more common to see the pop up as Apple developers update their apps to request to track you on your device.

Posted in: Congress, Cybercrime, Cyberlaw, Cybersecurity, Education, Privacy, Social Media