Pete Recommends – Weekly highlights on cyber security issues, December 11, 2021

Subject: Is your state ready to handle the influx of federal funds for expanding broadband?
Source: Opinion – Pennsylvania Capital-Star

The federal government is pouring billions of dollars into expanding broadband internet access. But it’s at the state level where the financial rubber meets the fiber-optic road. History suggests some states are ahead of the game while others will have to play catch-up.The recently signed Infrastructure Investment and Jobs Act includes significant funding to expand broadband access, to help households pay for their monthly broadband connections and to help people learn how to productively use those connections. This legislation represents Congress’ first formal recognition of the essential nature of high-speed internet.

Historically, broadband funding has been distributed from federal entities like the Federal Communications Commission or U.S. Department of Agriculture directly to internet providers. The Government Accountability Office, which monitors and audits government operations, has been critical of these efforts.

This time, however, states are at the center of the funding that is coming down the pipeline. The US$42.5 billion Broadband Equity, Access, and Deployment program, known as BEAD, requires each state to generate a five-year action plan laying out how it will use the funds, including a process for prioritizing locations that are classified as “unserved” or “underserved.”

Similarly, the $2.7 billion Digital Equity Act requires each state to establish an organization responsible for developing a digital equity plan, which will help to disburse subgrants. Digital equity means ensuring that every community has adequate access to the technologies and skills needed to fully participate in society.

State policies – and experience – matter

A growing body of evidence suggests that state-level broadband policies matter. Case studies of successful state programs show a range of promising practices, including stakeholder engagement and program evaluation.
The pending broadband funds will build on many of these practices – for states that had the foresight to have them up and running. Other states will be at a disadvantage from the outset. We believe that these differences are likely to play an important role in the success of the overall program.

Subject: Convincing Microsoft phishing uses fake Office 365 spam alerts
Source: Bleeping Computer

A persuasive and ongoing series of phishing attacks are using fake Office 365 notifications asking the recipients to review blocked spam messages, with the end goal of stealing their Microsoft credentials. What makes these phishing emails especially convincing is the use of quarantine[at] to send them to potential targets and the display name matching the recipients’ domains.

Additionally, the attackers have embedded the official Office 365 logo and included links to Microsoft’s privacy statement and acceptable use policy at the end of the email.

Luckily, the phishing messages come with text formatting issues and out-of-place extra spaces that would allow spotting these emails’ malicious nature on closer inspection.

Subject: Pixel Phones Sent For Repair Used To Post Nudes, Steal Money & Hijack Accounts
Source: Android Headlines

In a shocking development, it appears authorized Google Pixel repair technicians are tampering with customers’ devices after repairing them. Two separate reports have emerged over the past week and they claim that the technicians have gone as far as hacking into accounts, stealing money, and uploading nudes on social media.

The first incident, reported on December 1st on Reddit, involves an RMA (return merchandise authorization) of a broken Pixel phone. The author of the report says the device, which belonged to his wife, broke about a month ago and they sent it to Google for an RMA. Since the phone wouldn’t power on, they couldn’t wipe it. They reportedly hadn’t set a password or PIN on the device either.

A month after they sent the phone, someone hijacked the social media accounts of the author’s wife to post nude pictures of the couple. The hacker also accessed her Google account and tried to lock her out. Additionally, a sum of $5 was transferred out from a PayPal account. As the author points out, it was probably a test to steal a bigger amount later.


Subject: Amazon Web Services Announces Second ‘Top Secret’ Cloud Region
Source: Nextgov

Amazon Web Services today announced a second cloud computing region designed specifically to host the federal government’s top secret classified information. Called AWS Top Secret-West, the region provides additional geographic availability and resiliency of AWS cloud services for U.S. intelligence and defense agencies, including the CIA and NSA, on which to host, analyze and run applications.

AWS Top Secret-West is the company’s second commercial cloud accredited for classified workloads that is air-gapped—or shut off—from the rest of the internet. The new region joins AWS Top Secret-East, which has been hosting the government’s top secret data since 2014.

In an October interview with Nextgov, acting Intelligence Community Chief Information Officer Mike Waschull offered some insight into why commercial cloud computing is figuring so heavily into defense and intelligence agency missions. Washull said the cloud provides a scalable environment where a mix of open-source and classified datasets can be brought together for various purposes, such as processing, storage or analysis, and noted that cloud also helps in the retirement of old hardware systems and data centers.


Subject: Court order seizes websites used by China-based hacking group, Microsoft says
Source: CNNPolitics

“We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations,” Tom Burt, a corporate vice president at Microsoft, wrote in a blog post.

The Microsoft action is part of a broader effort by US tech companies and government agencies to expose sophisticated digital espionage campaigns before they do too much damage. In another case, the National Security Agency has investigated an ongoing hacking scheme in which suspected Chinese operatives have breached multiple US defense and technology firms.

The court order from the US District Court for the Eastern District of Virginia allowed Microsoft to take control of 42 web domains that the hackers were using to try to breach their targets. Traffic from those websites is now routed to computer servers controlled by Microsoft.

Subject: How and why people use password managers
Source: TechRepublic managers provide a more effective way to stay secure online but are still underutilized, says

Juggling a unique and strong password for every online account you use is a Sisyphean task, to put it in mythological terms. That’s why so many people still turn to weak passwords that they use and reuse across multiple accounts. Though biometric authentication is gaining traction, there’s still no universal alternative to passwords. But there is a way to better manage your passwords. A report released Monday by security advice site looks at why people rely on password managers.SEE: Password Management Policy (TechRepublic)

In a survey of 1,077 American adults conducted in November, asked people about their experience with cybercrime, how they track their passwords and their views of password managers. Participation in the survey was not based on any level of knowledge or expertise with password managers, so most of the respondents were everyday consumers.


Also see:

Subject: Cybersecurity: NIH Needs to Take Further Actions to Resolve Control Deficiencies and Improve Its Program
Source: U.S. GAO

The National Institutes of Health’s duties include researching infectious diseases and administering over $30 billion a year in research grants. NIH uses IT systems containing sensitive data to carry out its mission.

This report is a public version of our June 2021 report on NIH cybersecurity. The agency has taken actions intended to safeguard the confidentiality, integrity, and availability of its systems. However, we found many weaknesses related to identifying risks, protecting systems, and more. We have made 219 recommendations for improvements. NIH has partially implemented more than half and fully implemented about a third of them.

As GAO reported in June 2021, the U.S. National Institutes of Health (NIH) implemented information security controls—both for its security program and selected systems—intended to safeguard the confidentiality, integrity, and availability of its information systems and information. However, GAO identified numerous control and program deficiencies in the core security functions related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations (see table). GAO made 219 recommendations—66 on the security program and 153 related to system controls—to address these deficiencies.

Subject: Scammers are tricking more people into buying gift cards
Source: FTC Consumer Information

According to the newest Data Spotlight, 40,000 people reported losing a whopping $148 million in gift cards to scammers during the first nine months of 2021. Those are staggering numbers which have increased each year for the past several years. Since 2018, gift cards have been the most frequently reported payment method for fraud. But which gift card brand do scammers ask people to buy, and lose the most money on? Google Play, Apple, eBay, and Walmart cards remain popular with scammers. But this year, Target gift cards are scammers’ top choice.

If you find yourself heading to the store to buy gift cards because someone on the phone told you so, stop. No matter who calls, texts, or emails you telling you to pay with a gift card, it is always a scammer. The government and legitimate businesses will never call you demanding payment with a gift card.

Blog Topics:

Money & Credit

Scam Tags: Gift Card Scams

Subject: The CIA confirms rumors that it’s working on cryptocurrency projects
Source: Markets Insider

  • At the Wall Street Journal CEO Council Summit on Monday, CIA Director William Burns confirmed the agency is running several cryptocurrency-related projects
  • Burns said the agency is monitoring the digital asset and ransomware space.
  • It was Burns’ predecessor who set the cryptocurrency projects into motion to look at various consequences of cryptocurrencies.

It’s official: the Central Intelligence Agency is involved in crypto.

During the Wall Street Journal’s CEO Summit on Monday, CIA Director William Burns confirmed that the government agency is running several cryptocurrency-related projects. Burns said it was his predecessor, David Cohen, who started the projects.

While some conspiracy theorists have long held that the CIA invented bitcoin — although this computer scientist would claim otherwise — Burns’ interview simply confirms the agency’s involvement. He called it an “important priority” for the CIA, and he planned to devote “resources and attention” to the subject moving forward.
Burns also said that the CIA would be looking to add crypto experts to its team of intelligence analysts and open communication lines with industry experts.

Subject: Senator Doubles Down On Data Privacy, Sends Letter to CFPB
Source: Nextgov

Fresh off of a Senate committee hearing on data broker restrictions, Sen. Ron Wyden, D-Ore., published an open letter to the Consumer Financial Protection Bureau requesting the agency stop credit agencies from selling the personal data of American citizens. In a letter addressed to CFPB Director Rohit Chopra, Wyden refers to data brokers as “shady middlemen” who sell personal and sensitive information of American citizens to various entities. He specifically denounces the federally-recognized credit unions Equifax, Experian and Transunion as examples of credit reporting agencies that sell personal information of clients who request financial data to data brokers.

He notes that federal law protects the privacy of Americans’ financial information, such as credit scores and credit lines, but data like home addresses, Social Security numbers and dates of birth are commonly harvested and sold to external data brokers, who can then sell it to other parties.

“The data broker industry is out of control, in part because of vague and undefined regulations,” Wyden wrote.

He specifically notes that CFPB needs to issue stricter protocols surrounding customer data held by financial institutions and credit bureaus.


Subject: Consumer Reports’ VPN Testing
Source: Consumer Reports via beSpacific

Consumer Reports conducted an in-depth test of 16 well-known VPNs, carefully evaluating their security measures (how resistant they are to leaks and hacks) and their privacy practices (how much data the services themselves collect, what it’s used for, and who it’s shared with). We based our results on inspection of VPN features, analysis of network traffic, evaluation of user interfaces, and publicly available documentation. We also looked at various VPNs’ marketing copy and whether it accurately presented the products and their underlying technology….

Here’s a summary of what we found with all 16 of the VPNs we tested, and below that, more details on what the best VPNs did right…”

[from CR …]

Subject: CISA Releases Guidance on Protecting Organization-Run Social Media Accounts
Source: CISA

CISA has released Capacity Enhancement Guide (CEG): Social Media Account Protection, which details ways to protect the security of organization-run social media accounts. Malicious cyber actors that successfully compromise social media accounts—including accounts used by federal agencies—could spread false or sensitive information to a wide audience. The measures described in the CEG aim to reduce the risk of unauthorized access on platforms such as Twitter, Facebook, and Instagram.

CISA encourages social media account administrators to implement the protection measures described in CEG: Social Media Account Protection:

  • Establish and maintain a social media policy
  • Implement credential management
  • Enforce multi-factor authentication (MFA)
  • Manage account privacy settings
  • Use trusted devices
  • Vet third-party vendors
  • Maintain situational awareness of cybersecurity threats
  • Establish an incident response plan

Note: although CISA created the CEG primarily for federal agencies, the guidance is applicable to all organizations.

Subject: What Agencies Need to Do to Combat Shadow IT Driven by Cloud Sprawl
Source: Nextgov

Cloud sprawl happens when development teams spin up new cloud resources, forget about them, then move on to the next urgent task. Migrating to the cloud offers federal agencies huge advantages in performance and flexibility. Government services can’t effectively scale or adopt new capabilities like big data analytics, artificial intelligence, machine learning and internet of things without migrating to the cloud. But government cloud adoption has empowered an old IT nemesis: shadow IT.

Shadow IT is the use of IT systems, devices, software, apps and services outside the supervision of an organization’s approved IT systems. In the past, shadow IT was typically a business unit creating their own locally developed applications, or LDAs, because the office of the chief information officer engagement was judged too onerous. During my time in public service, I saw personnel surreptitiously use Microsoft Access to address an urgent data processing need that inadvertently turned into a mission-critical mission system. This was only discovered when Microsoft Access reached its scaling limits and then turned into an emergency project to transform it into a web-based application.


Posted in: Big Data, Business Research, Competitive Intelligence, Cybercrime, Cybersecurity, Financial System, Privacy, Social Media, Technology Trends