Pete Recommends – Weekly highlights on cyber security issues, November 28, 2021

Subject: Privacy-Protective Internet Browser Tor Is Low on Servers
Source: Gizmodo
https://gizmodo.com/privacy-protective-internet-browser-tor-is-running-low-1848095632

The Tor Project has launched a campaign to encourage volunteers to run private bridge servers.The Tor browser, arguably the best privacy-protective internet browser available for most people, is running low on bridge servers. The decline in servers affects the browser’s ability to combat censorship and provide a gateway to the open internet in places where governments and other entities tightly control access to information.

In a blog update published this week, the nonprofit Tor Project, the organization that maintains and develops the Tor software, said it currently had approximately 1,200 bridge servers, or bridges, of which 900 support the obfs4 obfuscation protocol. Bridges are private servers that provide access to users living in places where the Tor network is blocked. Tor provides users with anonymity by relaying connections to a server multiple times and, in some cases, through multiple countries.

Nonetheless, it should be noted that Tor isn’t just used by people who can’t access the internet in their country. It’s also used by people who want to hide their IP address or who don’t want their browsing activities tracked.

Filed: https://gizmodo.com/tech/news


Subject: API security ‘arms race’ heats up
Source: VentureBeat
https://venturebeat.com/2021/11/19/api-security-arms-race-heats-up/

Enterprises are starting to catch on to the massive security risk that the pervasive use of application programming interfaces (APIs) can create, but many still need to get up to speed.Poorly secured APIs have been recognized as an issue for years. Data breaches of T-Mobile and Facebook discovered in 2018, for instance, both stemmed from API flaws.

But API security has now come even more to the forefront with enterprises across all industries in the process of turning into digital businesses — a shift that necessitates lots and lots of APIs. The software serves as an intermediary between different applications, allowing apps and websites to access more data and gain greater functionality.

The implication of APIs in high-profile hacks such as the SolarWinds attack is also spurring more companies to pay attention to the issue of API security — though many still have yet to take action, says Gartner’s Peter Firstbrook.

API exploits – The most frequent API-based attacks involve exploitation of an API’s authentication and authorization policies, he said. In these attacks, the hacker breaks the authentication and the authorization intent of the API in order to access data.

“Now you have an unintended actor accessing a resource, such as sensitive customer data, with the organization believing that nothing was awry,” Mattson said.


Subject: NJ offers in-person ID verification for online services
Source: GCN
https://gcn.com/articles/2021/11/19/in-person-id-verification.aspx

The New Jersey Department of Labor and Workforce Development (NJDOL) is rolling out a new service that allows individuals — even those without a mobile phone or dedicated internet access – to verify their identity at retail locations so they can access online government services, including applying for unemployment insurance (UI).The state is working with ID.me, a digital identity network provider, and Sterling Check Corp., which provides background screening and identity services at retail facilities across the U.S. The solution will ensure those without a smartphone or reliable online access can digitally verify their identity by visiting a designated retail location.

ID.me typically verifies that individuals are who they say they are by having them take selfies or asking them to appear on video and checking to make sure their faces match the photos on identity documents used to apply for benefits. Those without smartphones can now be verified at a Sterling Check locations.

Once individuals verify their identity in person, they get an ID.me credential that allows them to access a range of government services. ID.me is used in California, Florida and 25 other states as well as by the Department of Veterans Affairs, the Social Security Administration, the Department of Treasury and hundreds of other organizations.


Subject: Localities and States Are Turning to Data Analytics to Catch Fraudsters—And It’s Working
Source: Route Fifty
https://www.route-fifty.com/finance/2021/11/localities-and-states-are-turning-data-analytics-catch-fraudstersand-its-working/186996/

Electronic analysis can be costly, but low-tech paper systems don’t work anymore, government officials say.When a health care provider submitted a request for $8,002,021 to New York’s Medicaid program in October, it raised eyebrows among state auditors, who, just a few years ago had started scouring government databases for suspicious public assistance transactions.

Flagged as an abnormally large invoice, the state denied the payment and investigated the claim. It turned out that the vendor had inadvertently made a typo that combined the amount of the payment—$800—with the year—2021.

For New York and for an increasing number of states, that vigilance has come in the form of data analytics, the process of using computers to collect huge stores of data and flag abnormalities, and then assigning humans to identify which transactions are legitimate and which are suspicious. Often, an analysis of the data can pinpoint waste and inefficiencies that lead to policy changes.

That wealth of data led auditors in Oregon, originally assigned to parse the long list of those on public assistance for deceased recipients, to dive deeper into potentially improper payments. After finding more than 1,000 deceased recipients who had received a collective $6.8 million in payments, the auditors uncovered 384 inmates on public assistance and a high-dollar lottery winner who continued to collect public assistance payments for 16 months after hitting the jackpot

Audit manager Ian Green added, “Over time, the fraud grew. … This is one of the lessons we’ve learned: If they get away with it for a period of time, the word spreads in the community … that they could sell their benefits at that market.”

Monitoring Employees and Residents
Still, even government insiders sometimes participate in fraud, he said. County governments have turned to data analytics to monitor fraud and abuse by employees and residents.

Rita Reynolds, chief information officer for the National Association of Counties, said governments can use data to spot abnormalities in the frequency with which employees access confidential county records.

“If I’m a county staff person and I don’t usually log on after hours and all of a sudden there’s a log-on from the individual at night, that raises a red flag,” Reynolds said. “Why is the person doing that?”

Increasingly, she said, employees are accessing government data with the intention to sell it. …

Filed:


Subject: What’s stopping consumers from acting on a data breach notice?
Source: Help Net Security
https://www.helpnetsecurity.com/2021/11/22/consumers-data-breach/

Only three percent of consumers implemented a credit freeze after receiving a data breach notice, 11 percent enrolled in credit/data monitoring, and only 22 percent changed all of their account passwords, a recent survey by DIG.Works on behalf of the Identity Theft Resource Center (ITRC) has shown.48 percent of the respondents only changed the password on the breached account, and 16 percent took no action at all.

Those that didn’t act after receiving a breach notice offered a variety of reasons – from “My data is already out there” to being unsure of what to do.

The ITRC believes that organizations should review how they notify consumers of data breaches with the goal of reducing the level of inaction and improving the rates of credit freeze adoption.

More about:

Subject: An introduction to U.S. data compliance laws
Source: Help Net Security
https://www.helpnetsecurity.com/2021/11/22/u-s-data-compliance-laws/

Due to technological advances like the rise of cloud storage and social media, there is an increasing concern over privacy — especially when it comes to how businesses collect and use customer data. While the U.S. does not presently have an all-encompassing privacy law for the entire country, more and more states are establishing their own privacy laws, following the lead of California, which has the CPRA (superseding the CCPA).Breaking down U.S. compliance laws by state

At present, there are four notable state privacy laws that have been passed into law and are already being implemented or are expected to be soon.


Subject: 80 Looters Hit Nordstrom Store in California
Source: AP via Newser
https://www.newser.com/story/313646/80-looters-hit-nordstrom-store-in-california.html

(Newser) – About 80 people, some wearing ski masks and wielding crowbars, ransacked a high-end department store in the San Francisco Bay Area, assaulting employees and stealing merchandise before fleeing in cars waiting outside, police and witnesses said. Three people were arrested while the majority got away after the large-scale theft Saturday night shocked shoppers at the Nordstrom at the Broadway Plaza outdoor mall in Walnut Creek, police said in a statement Sunday. Two employees were assaulted and one was hit with pepper spray during what police called “clearly a planned event,” the AP reports….


Subject: NSA, CISA Say Industry Should Use Attestation Technology to Secure 5G Environments
Source: Nextgov
https://www.nextgov.com/cybersecurity/2021/11/nsa-cisa-say-industry-should-use-attestation-technology-secure-5g-environments/187024/

The tech can provide evidence of compliance with configuration standards and detect anomalies in complex multi-tenant, multi-cloud computing architectures.Cloud service providers and mobile operating networks should implement technology to avert cascading impacts from compromised applications by monitoring access controls to the “containers” that are increasingly used to more efficiently manage them, according to new guidance from the National Security Agency and the Cybersecurity and Infrastructure Security Agency.

“Preventing a process that runs in a container from escaping the isolation boundaries of its container and gaining access to the underlying host is [a] threat that must be addressed,” the agencies wrote in guidance released Friday. “Capabilities that enable the detection of unexpected behavior, such as dynamic verification through attestation or use of behavior profiles, need to be industry best practices.”

Filed:


Subject: Have FatPipe VPN? Update Now: FBI Warns of Zero-Day Flaw
Source: Tech.co
https://tech.co/news/fatpipe-vpn-update-zero-day-flaw

Hackers have been using the flaw to gain access to companies’ internal networks for months.

Hackers have been exploiting a zero-day vulnerability in FatPipe VPN software since May, the FBI has announced.

A patch has been released, so anyone using the the FatPipe WARP, MPVPN, or IPVPN software should update immediately in order to protect themselves moving forward.

No company is infallible when it comes to zero-day vulnerabilities, from Apple to Google, but it’s always sad to see in a VPN, a service explicitly designed to keep its users safe.

FatPipe wasn’t on our list of the most trusted and secure VPNs, where we ranked NordVPN, IPVanish, and PureVPN among the cream of the business-data-securing crop.

But perhaps the best test of the discovery of a software vulnerability is in how well the safeguards and redundancies that were already in place have worked to mitigate any harm the flaw could cause. Take the example of NordVPN’s 2018 data breach: Just one of the company’s 3,000+ servers was affected and NordVPN quickly addressed it. No user data was compromised in the incident, and NordVPN’s zero logging policy meant no data was available to be compromised.


Subject: Research finds US adults have context-specific views on biometric technology use
Source: Penn State University News Wire
https://www.psu.edu/news/engineering/story/research-finds-us-adults-have-context-specific-views-biometric-technology-use/

UNIVERSITY PARK, Pa. — As the application of facial recognition and DNA technologies increases across industries and domains, questions arise concerning the public’s comfort with biometric modalities, the acceptability of using biometrics in various societal contexts, and the public’s trust in public and private entities using biometric technologies. An international team of researchers set out to understand perspectives about biometric technologies held by a representative sample of adults across the United States.

The team published the results in IEEE Transactions on Technology and Society. Of the survey respondents, nearly 41% ranked fingerprints as the biometric they were most comfortable with for wide use. As the team expected, survey results showed a correlation between prior experience with biometric technologies and increased comfortability, although it is not possible to infer whether comfort influenced those prior experiences or vice versa. When asked to rank the biometric technologies based on level of comfort, most survey participants indicated they are very or somewhat comfortable with all the technologies — 74.8% for fingerprint use, 66.2% for voice samples, 63% for hand geometry use, 61.1% for facial imaging and 60.6% for eye scans. The lowest percentage of a very or somewhat comfortable rating was reported for DNA at 55.6%. Demographics showed little to no effect on reported comfort levels.

Additional research completed by the team, specific to health care and research settings, was recently published in PLOS ONE.


Subject: When the Eye on Older Patients Is a Camera
Source: Kaiser Health News
https://khn.org/news/article/high-tech-monitoring-dementia-patients/

Monitoring also raises ethical questions about privacy and quality of care. Still, the systems make it possible for many older people to stay in their home, which can cost them far less than institutional care. Living at home is what most people prefer, especially in light of the toll the covid-19 pandemic took on nursing homes.

Technology could help fill a huge gap in home care for the elderly. Paid caregivers are in short supply to meet the needs of the aging population, which is expected to more than double in coming decades. The shortage is fueled by low pay, meager benefits and high rates of burnout.

And for the nearly 1 in 5 U.S adults who are caregivers to a family member or friend over age 50, the gadgets have made a hard job just a little easier.

Passive surveillance systems are replacing the “I’ve fallen and I can’t get up” medical alert buttons. Using artificial intelligence, the new devices can automatically detect something is wrong and make an emergency call unasked. They also can monitor pill dispensers and kitchen appliances using motion sensors, like EllieGrid and WallFlower. Some systems include wearable watches for fall detection, such as QMedic, or can track GPS location, like SmartSole’s shoe insoles. Others are video cameras that record. People use surveillance systems like Ring inside the home.

[let’s hope the power and internet are working /pmw1]

Technology isn’t a substitute for face-to-face interaction, stressed Crista Barnett Nelson, executive director of Senior Advocacy Services, a nonprofit group that helps older adults and their families in the North Bay area outside San Francisco. “You can’t tell if someone has soiled their briefs with a camera. You can’t tell if they’re in pain, or if they just need an interaction,” she said.

In some instances, people being monitored changed their habits in response to technology. Clara Berridge, a professor of social work at the University of Washington who studies the use of technology in elder care, …

People making audio and video recordings must abide by state privacy laws, which typically require the consent of the person being recorded. It’s not as clear, however, if consent is needed to collect the activity data that sensors gather. That falls into a gray area of the law, similar to data collected through internet browsing.

Related Topics


Subject: QR codes, URL’s, and restaurants
Source: RISKS Digest
https://catless.ncl.ac.uk/Risks/32/93/#subj9.1

QR codes, URL’s, and restaurants “Jerry Leichter” <[email protected]>

Sun, 7 Nov 2021 13:03:57 -0500

For years, we’ve been telling people not to click on links in email. Companies require their employees to go through annual training, wasting time they could be doing useful work being told “don’t click on URL’s in email, they might be malicious.” (Of course then the same companies turn around and send out their own emails, complete with embedded links, to those same employees.) Many restaurants these days have “gone modern.” Rather than providing traditional menus, they put a card on the table with a QR code on it. Scan it on your phone and the menu pops up in your browser. But … why exactly should you trust the URL encoded in that QR code? You actually have less context to verify it than you do in typical email URL’s! Oh, sure, it’s at a restaurant you know and trust … but the last patron could have easily replaced the piece of paper the restaurant owner put there. Sure, you *can* – if you have the right software—look at the URL before viewing it. But the typical URL won’t be managed by the restaurant itself—it’ll be provided by some third party you never heard of. …


Subject: Hackers are Hijacking Phone Numbers to Empty Crypto Accounts
Source: tech.io
https://tech.co/news/hackers-hijacking-phone-numbers-empty-crypto

Small-scale crypto investors are being increasingly targeted by hackers, according to one report published this week. Cybercriminals are performing a fraudulent practice called SIM-swapping – within which a person’s phone number is switched to a new device. Several telecoms carriers are now embroiled in lawsuits brought by victims who feel they were not sufficiently protected.

Shielding yourself from SIM-Swapping involves limiting the personal information you put on social media and using tech like password managers and authenticator apps.

Crypto-Thieves Move on to Smaller Fish 

Reporting in The Wall Street Journal details how one individual who invested their life savings in Bitcoin had their accounts emptied overnight, losing $80,000 or more in cryptocurrency value.

SIM-swapping only takes around 10 minutes and is well worth the time for hackers. Once you have control of someone’s phone number, you have a potential way into the owner’s accounts – from social media to their bank.

This is largely due to the fact phone numbers are often invoked in security protocols, such as two-factor authentication, and can be used to receive codes to reset passwords.

Can I Protect Myself Against SIM-Swapping?

One way to protect yourself is to use an authenticator app for multi-factor authentication processes rather than your actual phone number. This means a hacker would have to have your actual device to break through the authentication barrier, rather than your phone number, and the codes refresh regularly.


Subject: Mozilla has released a new platform for privacy-focused email communications
Source: TechRepublic
https://www.techrepublic.com/article/mozilla-has-released-a-new-platform-for-privacy-focused-email-communications/

When you don’t want to give out your personal or work email address, but still need to sign up for an account, Mozilla might have an answer for you with Firefox Relay. Mozilla has announced the availability of a new free and paid Premium service, called Firefox Relay. This new privacy-focused platform makes it possible to hide your actual email address to protect your identity. How it works is simple: You sign up for an account and create an alias. That alias is associated with your email address. With a free account, that alias will use the mozmail.com domain. You can pay for a Premium account where you get more aliases (the free account gives you five) and can even create a new email domain for the aliases. You then use those aliases for whatever purpose you need. When an email comes into those aliases, it will be forwarded to the associated account. It’s as simple as that.

OK, so you’re probably spotting the issue with this upfront. Firefox Relay won’t cut down on the spam you receive. If you subscribe to a mailing list, you’ll get spam. Period. However, what this does is ensure your real email address isn’t used (or sold) by any company (or individual), which would compound the privacy problem. Even better, you can very easily delete an alias once it has served its purpose.


Subject: Fraud fighters aren’t prepared for the multi-billion dollar threat of global insurance fraud
Source: Help Net Security
https://www.helpnetsecurity.com/2021/11/23/insurance-fraud-threat/

Nearly 60% of those tasked with thwarting the multi-billion dollar threat posed by global crime rings are not yet up to the task, reports a study by the Coalition Against Insurance Fraud, IBM and Luxoft.The study surveyed financial crimes experts, data security analysts, government regulators, insurance professionals and others to better understand how anti-fraud experts from around the world are dealing with international fraud rings.

The research found that fraud fighters – professionals tasked with investigating and prosecuting insurance fraud – in North America were the least prepared for threats from abroad.

“Organized rings, both foreign and domestic, are stealing billions,” Coalition Co-Chair David Rioux of Erie Insurance said.

The study surveyed fraud fighters living in 33 countries across North America, the Middle East, Europe, Asia, and Africa.


Subject: What are people reporting at DoNotCall.gov?
Source: FTC Consumer Information
https://www.consumer.ftc.gov/blog/2021/11/what-are-people-reporting-donotcallgov

In the past 18 years of the National Do Not Call Registry, those of you signed up for the registry (244 million phone numbers right now) have reported millions upon millions of unwanted sales calls over the years. Here’s a quick look at what you’ve reported this year at DoNotCall.gov about the calls you’re getting:…

Learn more about blocking unwanted calls at ftc.gov/calls.


Subject: How do I select an automotive IoT security solution?
Source: Help Net Security
https://www.helpnetsecurity.com/2021/11/23/select-automotive-iot-security/

As the automotive industry rapidly evolves and cars become smarter, cybercriminals are becoming more sophisticated too, constantly finding new ways to compromise connected vehicles. Other than the possibility of being stolen, there is an even greater threat, which implies the vehicle being controlled by hackers thus putting human lives at risk.

To select a suitable automotive IoT security solution, you need to think about a variety of factors. We’ve talked to several industry professionals to get their insight on the topic.

Security can never and should never be an afterthought. Secure by design solutions enable OEMs to provide an advanced driver experience without compromising on automotive cybersecurity.


Subject: Smishing kicks into high gear as scammers use package delivery texts as clickbait
Source: TechRepublic
https://www.techrepublic.com/article/cant-remember-ordering-that-package-dont-click-on-unfamiliar-links-sent-via-text/

‘Tis the season for scammers to use SMS messages to deliver malicious links straight to your phone. Proofpoint warns that bad actors are taking advantage of the holiday season to hide malware in texts. This form of phishing is called smishing because the attack is delivered through short message service, also known as text messaging. These campaigns range from package delivery notices to offers of loans to help with the holidays. Cybercriminals send smishing attacks that claim to be from reputable companies, including retailers, ecommerce brands and parcel delivery companies, to steal personal information from unsuspecting targets. Proofpoint researchers report that holiday-themed smishing attacks have almost doubled compared to this time last year. Jacinta Tobin explained the spike in malicious text messages in a blog post on Proofpoint’s site. In one smishing attack, the scammer sent a text about an”Early Bird Black Friday” package delivery with a landing page that looks like an authentic package notification. Instead, the website requests personal information from the potential victim, including name, postal and email addresses….


Subject: Best Buy Shares Plunge on Margin Pressures, Cites “Organized Retail Crime”: A Look at Organized Retail Crime in the US, and How Ecommerce Turned it into a Big Business
Source: Wolf Street
https://wolfstreet.com/2021/11/23/best-buy-shares-plunge-on-margin-pressures-cites-organized-retail-crime-a-look-at-organized-retail-crime-in-the-us-and-how-ecommerce-turned-it-into-a-big-business/

Stolen goods get sold to law-abiding Americans by third-party vendors on the biggest ecommerce sites that profit from it. Legislation to control it has gone nowhere.It’s a big profitable business across the US because the cost of the merchandise is zero: Organize a bunch of people via the social media, raid a store and and run out, arms-full of merchandise, and then sell this stuff into specialized distribution channels from where it gets sold by third-party vendors on some of the best-known ecommerce platforms in the US, such as eBay and Amazon and many others.

In his prepared remarks, he said that Best Buy will launch a “new capability,” namely using the QR codes for products that are locked up. “Instead of waiting for an associate to unlock the product, the customer can scan the QR code and then proceed to check out to pay and pick up the product,” he said.

Organized retail crime has been around for about as long as retail itself. But the perpetrators had trouble selling large quantities of merchandise. Selling detergent and consumer electronics and handbags on the sidewalk was hard work and cumbersome.

Retailers, including in recent years ecommerce retailers, have long been sitting ducks for criminals, in part because retailers want to create a smooth and hassle-free shopping experience. And they’ve been getting hit by theft from all sides – and organized retail crime is just one of them:

  • Ecommerce crime
  • Organized retail crime
  • Cyber-related incidents
  • Internal theft (by employees)
  • Return fraud (online and brick & mortar)
  • Gift card fraud

The most recent effort in Congress “to combat the online sale of stolen, counterfeit, and dangerous consumer products” was proposed in October by Congresswoman Jan Schakowsky (D-IL) and Congressman Gus Bilirakis (R-FL). The Integrity, Notification, and Fairness in Online Retail Marketplaces for Consumers Act “directs online platforms that allow for third-party sellers of consumer products to verify the identity of high-volume third-party sellers, which will prevent organized retail crime,” according to the press release.


Subject: SEC.gov | SEC Investor Advisory Committee to Meet Remotely on Dec. 2
Source: SEC Newsroom
https://www.sec.gov/news/press-release/2021-245

FOR IMMEDIATE RELEASE 2021-245 Washington D.C., Nov. 24, 2021 —The Securities and Exchange Commission’s Investor Advisory Committee will hold a public meeting on Dec. 2 by remote means. The meeting will begin at 10 a.m. ET, is open to the public via live webcast, and will be archived on the committee’s website for later viewing.The committee will hold two panel discussions: a panel discussion regarding crypto and digital assets, entitled, “Helping to Ensure Investor Protection and Market Integrity in the Face of New Technologies”; and a panel discussion regarding the SEC’s potential role in addressing elder financial abuse issues. The committee will also discuss a recommendation regarding individual retirement accounts. The full agenda is available here. For a full list of committee members, see the committee’s member biographies webpage….other PR items: https://www.sec.gov/news/pressreleases

BONUS: lot’s of SEC RSS feeds: https://www.sec.gov/about/secrss.shtml

Extra Special RSS feeds: https://www.sec.gov/about/secrss.shtml

Some EDGAR search results can be captured as RSS Feeds. The RSS link on various EDGAR searches is located on the left, immediately above the filings result list.


Subject: When people become data records, ‘low-resolution’ citizens struggle
Source: GCN
https://gcn.com/articles/2021/11/24/low-res-citizens.aspx

A study of the intersection of data and identity finds that people who are “high-resolution” can navigate government systems easily, while those who are “low-resolution” can struggle. According to a paper titled “Seeing Like an Infrastructure: Low-resolution Citizens and the Aadhaar Identification Project” and published Oct. 18, “high resolution” means that data and identification clearly align, allowing people to access any government service they need. But for so-called “low-resolution citizens,” access can be an uphill battle.“What does it mean to turn a person into a data record? What does that relationship mean to the way the state/citizen relationship unfolds?” asked Ranjit Singh, report co-author, explaining the basis of his research.He used Aadhaar, India’s biometrics-based identification system, as a test case. When registering with it, people provide fingerprints from all 10 fingers, an iris scan from each eye and a photo for facial recognition. They receive a number that they can then use to access government-provided welfare and other services.The reason for collecting so many biometrics, Singh said, is that system managers realized early on that fingerprints are subject to change. For instance, they become less clear as people age or when they do manual labor. What’s more, the technology for reading fingerprints may fail, in situations where there is no electricity or network connection. The other biometrics provide redundancy in identification: If the fingerprint fails, try the iris scan and if that fails, use facial recognition.

In a sense, the basic issue is “garbage in, garbage out.” If someone mistypes a name or address while filling out ID papers, that mistake snowballs when the person goes to use the ID to access services.

“It is often the case that if you’re rendered marginal in one system, that often becomes a way of becoming marginal in other systems,” Steven Jackson, report co-author and associate professor of information science at Cornell University, told the Cornell Chronicle. “If you make access a little bit more difficult for some people, that makes certain people’s lives a little bit harder. But for others, it just flows. The result is a differentiating impact, and a subtle but important contribution to inequality.”


Subject: CISA Releases Capacity Enhancement Guides to Enhance Mobile Device Cybersecurity for Consumers and Organizations
Source: CISA
https://us-cert.cisa.gov/ncas/current-activity/2021/11/24/cisa-releases-capacity-enhancement-guides-enhance-mobile-device

CISA has released actionable Capacity Enhancement Guides (CEGs) to help users and organizations improve mobile device cybersecurity.

CISA encourages users and administrators to review the guidance and apply the recommendations.


Subject: US government securities watchdog spoofed by investment scammers – don’t fall for it!
Source: Naked Security
https://nakedsecurity.sophos.com/2021/11/24/us-government-securities-watchdog-spoofed-by-investment-scammers-dont-fall-for-it/

It’s a suggestion, not a fact

Identifying the actual caller is as good as impossible in the case of a regular landline or mobile call, because the phone (or the phone system) has no reliable way of identifying the person who dialled the call in the first place, or who is speaking into the microphone.

And even identifying the phone number of the calling line is troublesome, because the Caller ID data that’s decoded and displayed on your device is unauthenticated, and therefore unauthenticatable.

If it can’t be authenticated, then it’s not really any sort of identification at all.

In short, you need to think of Caller ID or CLI as being no more reliable, and no more precise, than the return address on the back of a snail-mail letter, the choice of which is entirely up to the sender.

In other words, if Caller ID says the call isn’t from someone you expect, it’s OK to decide you are not going to trust it.


Subject: Community reminded of Zoom safety tips
Source: Penn State University News Wire
https://www.psu.edu/news/story/community-reminded-zoom-safety-tips/

UNIVERSITY PARK, Pa. — Penn State students, faculty and staff are reminded that numerous tools are available to help secure Zoom meetings as the University continues to offer hybrid work and class arrangements.To help secure Zoom meetings, individuals should not share the meeting password. Additionally, to discourage unwanted guests from joining a Zoom meeting, it is strongly recommended that individuals do not post meeting links on social media platforms and other online sites.

“Zoom safety should always be on the forefront of our community’s mind,” said Richard Sparrow, Penn State’s interim chief information security officer. “We have been working in a remote and hybrid format for over a year, however, we must remain vigilant to prevent unwanted actions or disruptions in our classes, meetings and more.”

A list of tips and settings to help prevent unwanted actions by participants is available, and includes actions to help prevent unwanted participants from entering a Zoom meeting…


Subject: New Twists on Gift-Card Scams Flourish on Black Friday
Source: Threatpost
https://threatpost.com/new-twists-on-gift-card-scams-flourish-on-black-friday/176593/

Fake merchandise and crypto jacking are among the new ways cybercriminals will try to defraud people flocking online for Black Friday and Cyber Monday.

Black Friday cyber-pariahs have revamped gift-card scams to better target modern online shoppers hungry for deals post-Thanksgiving. Experts warn new tactics include bogus gift-card generators that install malware designed to sniff out a victim’s cryptocurrency wallet address.

Internet-based Black Friday and Cyber Monday scams have become as common as the Macy’s Thanksgiving Day Parade. That’s why scammers save to trot out new ways to snare cyber-savvy shoppers. In a Tuesday-post, researchers at Malwarebytes Labs, outlined this year’s latest gift-card scams. One novel twist includes offering gift cards for significantly less than face value as a ploy to entice users to buy stolen gift-cards or download malware.

“If you see websites offering all kinds of discounts on gift cards, you can be assured that these will turn out to be fakes or they have been acquired in an illegal way and you could be acting as a fence,” wrote Pieter Artnz, Malwarebytes malware intelligence researcher.

Filed:


Subject: Companies ditching VPNs for zero trust architectures to secure hybrid workplaces
Source: Help Net Security
https://www.helpnetsecurity.com/2021/11/25/zero-trust-hybrid-workplaces/

Hybrid workplaces are the new norm, with 99% of respondents’ reporting their workforces will split time between the office and remote settings post-pandemic, a Teradici survey of more than 8,000 respondents across a range of industries reveals.The survey also found that concerns about endpoint security and data integrity are skyrocketing as Bring Your Own Device (BYOD) makes a comeback and employees commute with their devices.

“The pandemic has caused a fundamental shift in how people work, and the ‘office’ will never be the same,” said Ziad Lammam, Global Head of Teradici Product Management, HP.

“As a result of the enormous security concerns associated with unmanaged devices, as well as BYOD, organizations are changing how they think about securing their corporate assets. Expect to see companies move away from traditional VPNs to Zero Trust architectures to shore up their endpoints and protect their data.”

To combat security concerns, organizations will move to remote access and zero trust architectures: Companies have largely relied on VPNs for employees to connect remotely, as many organizations have not yet completed their migration to the cloud. As hybrid work becomes the norm over the long term, remote desktop technologies with zero trust architectures will replace VPNs in an effort to better protect corporate networks. On top of this, IT will need to enhance the security awareness of employees to prevent human leaks and breaches.

Filed:


Subject: Apple iOS privacy settings to change now
Source: WaPo via beSpacific
https://www.bespacific.com/apple-ios-privacy-settings-to-change-now/

Washington Post – How to make your iPhone and iPad as private as possible: “Privacy is a central part of Apple’s marketing campaigns and it sounds great in the company’s ads and product announcements. But actually making things as private as possible on Apple devices does require a bit of effort and time. We’ve assembled all the settings you can change on your iPhone and iPad to make the devices as private as possible. These instructions are all based on iOS 15, the newest version of the operating system…”

Posted in: Criminal Law, Cybercrime, Cyberlaw, Cybersecurity, E-Commerce, Economy, Email Security, Healthcare, Information Architecture, Information Management, Privacy, Securities Law, Shopping, Social Media, Technology Trends