Pete Recommends – Weekly highlights on cyber security issues, December 26, 2021

Subject: Verizon wants your browsing history so bad, it created a new program and opted you in
Source: Android Central
https://www.androidcentral.com/verizon-wants-your-browsing-history-so-bad-it-created-new-program-and-opted-you.

What you need to know:

  • Verizon is collecting information about which sites you visit and apps you use with the Verizon Custom Experience program.
  • The Program will help Verizon provide more relevant ads and recommendations to customers based on their interests.
  • The program automatically ops consumer and small business customers in.
  • Customers can opt out of the privacy settings in the My Verizon app.

Verizon is on a hunt for your data, according to a new program it’s informing subscribers about. The Verge reported on a new Verizon Wireless program that automatically opts customers into sharing their data with the carrier.

The Verizon Custom Experience program uses your data to help the company personalize its communication with you to deliver more relevant product and service recommendations. Essentially, it allows the company to build a profile to more effectively advertise to you.

Filed: https://www.androidcentral.com/category/carriers


Subject: How likely are employees to fall prey to a phishing attack?
Source: Help Net Security
https://www.helpnetsecurity.com/2021/12/20/employees-phishing-attack/

22% of employees are likely to expose their organization to the risk of cyber attack via a successful phishing attempt, a Phished report reveals.Analysis of the broad and diverse data set reveals how vulnerable the average employee is to phishing attacks and offers insight into key trends, including which topics lead to the most successful phishing attacks and which message formats are most likely to trick employees.

The data shows that of employees who open a phishing message, 53% are likely to click a malicious link contained within it. When asked to disclose data, for example on a spoofed login page, 23% of recipients enter their data. If a message contains an attachment, 7% of all recipients will download and open it.

Conclusions: “The task for the coming year is clear: organizations must focus explicitly on awareness among their employees. In recent years, the volume of phishing attacks has increased exponentially and without a radical countermovement, these campaigns will continue to claim more victims, resulting in major losses for organizations. A one-off workshop does not help against phishing. People need thorough, repeated training to help them recognise increasingly sophisticated phishing messages,” concludes Van de Meulebroucke.


Subject: Synthetic identity fraud: What is it, and why is it harmful?
Source: TechRepublic
https://www.techrepublic.com/article/synthetic-identity-fraud-what-is-it-and-why-is-it-harmful/#ftag=RSS56d97e7

Online consumers can do everything right and still become cyber victims. Learn about synthetic identity fraud and why “buyer beware” is not enough. Digital criminals are creating new and effective ways to con businesses and financial institutions by using synthetic identity fraud. They are having enough success that those in the know at McKinsey and Company are more than a little concerned:

“By our estimates, synthetic identity fraud is the fastest-growing type of financial crime in the United States, accounting for ten to fifteen percent of charge-offs in a typical unsecured lending portfolio.”

Laura Hoffner, current chief of staff at Concentric and former naval intelligence officer, is also concerned. “We’re seeing a huge increase in synthetic identity fraud — the process of combining real and fake personal information to create an identity and commit fraud,” Hoffner said during an email conversation. “It’s really growing, fueled by easy criminal access to corporate networks and Ransomware as a Service (RaaS) tools.”

Part of the problem, according to Hoffner, is the amount of personally identifiable information (PII) that has been compromised over the last 10 years. “Access to compromised networks is cheap, thanks to the availability of initial-access brokers and RaaS tools that can turn everyday petty crooks into full-blown cybercriminals in an afternoon,” Hoffner said. “This trend is most prevalent in the United States because of the emphasis on static PII to verify identity.”

What exactly is synthetic identity fraud?

Synthetic identity fraud melds factual information with fake information to create a unique identity that cybercriminals can exploit. An example of factual information commonly used by digital fraudsters would be Social Security numbers (SSNs) — especially SSNs of young children and deceased adults, due to a lack of activity and monitoring of those accounts. False information tends to include fake addresses, social media profiles or any required information to complete the targeted financial application. “Together, this creates an entirely new identity through which fraudulent and illicit activity can go unchecked,” Hoffner said.

What can be done to avoid synthetic identity fraud?

Sadly, synthetic identity fraud is difficult to detect and thus, hard to prevent. And as mentioned earlier, we consumers can do little to protect ourselves. Buyers have to rely on businesses and financial institutions to have sophisticated equipment to spot synthetic identity fraud.

Filed: https://www.techrepublic.com/topic/security/

More about cybersecurity:


Subject: 6 top cybersecurity trends from 2021 and their impact on 2022
Source: Help Net Security
https://www.helpnetsecurity.com/2021/12/21/top-cybersecurity-trends-2022/

2021 has been a wild year in the cybersecurity space. From supply chain attacks like the SolarWinds hack to the NSO Group’s spyware scandal to the Colonial Pipeline ransomware attack, organizations are facing new (and repackaged) attacks daily. In fact, according to the Identify Theft Resource Center, the total number of data breaches through September 2021 has already exceeded 2020 numbers by 17%.But beyond specific attacks, a variety of trends emerged and continued to gain strength in 2021. In this article, we look at six of them and examine how they might evolve in 2022. It’s also worth noting that each of these trends depends on and affects the other (and this list is just the tip of the iceberg), and it’s often at their intersection points that the biggest risk and threats exist.

More about

RSS feed: https://www.helpnetsecurity.com/feed/

Sample tag RSS feed: https://www.helpnetsecurity.com/tag/critical-infrastructure/feed/


Subject: Cyber insurance trends: Insurers and insurees must adapt equally to growing threats
Source: Help Net Security
https://www.helpnetsecurity.com/2021/12/21/cyber-insurance-trends/

Cyber insurance has been around since the 1990s and is viewed much differently since ransomware started growing and making headlines every day. Insurance companies used to employ cash-flow underwriting on cyber policies, meaning that they would take on a lot of polices just to pad their books of business with premiums. As a result, enterprises would often get blanket cyber coverage for a relatively good price – at least compared to today’s standards. Ransomware has largely struck fear in insurers, and they have reduced coverage significantly and are raising premiums. Some even consider excluding it altogether.vInsurers offering cyber coverage are asking more diligent questions about enterprise risk posture and adding more exclusions. This eliminates coverage for certain acts, property, types of damage or locations. Insurers are also trying hard to diversify their books of business so that a single ransomware attack to a third-party provider doesn’t drive catastrophic losses. Imagine being an insurance company that had many insureds with SolarWinds software during that attack. The financial loss of a catastrophic event can be so large that an insurer may be collecting premiums for 10 years only to have one attack wipe out all those profits.

On the insurance side, they will invest more in tools for underwriting cyber risk, portfolio management and high-end cybersecurity risk mitigation services to their insureds. One thing that could begin to materialize in 2022 is growing cyber insurance regulations to drive standardization. Any progress on this front should help enterprises better understand what’s expected of them in terms of communicating their cyber risk posture and also what they can expect in terms of cyber coverage.

NB How about an outside security/risk audit, not just once during underwriting?


Subject: F-Secure uses flaw in at-home COVID-19 test to fake results
Source: TechRepublic
https://www.techrepublic.com/article/f-secure-uses-flaw-in-at-home-covid-19-test-to-fake-results/#ftag=RSS56d97e7

Security researchers used a Bluetooth vulnerability to change negative results to positive. Security researchers found a vulnerability in a home test for COVID-19 that a bad actor could use to change test results from positive to negative or vice versa. F-Secure found that the Ellume COVID-19 Home Test could be manipulated via the Bluetooth device that analyzes a nasal sample and communicates the results to the app.

“F-Secure determined that by changing only the byte value representing the ‘status of the test’ in both STATUS and MEASUREMENT_CONTROL_DATA traffic, followed by calculating new CRC and checksum values, it was possible to alter the COVID test result before the Ellume app processes the data.”

Filedhttps://www.techrepublic.com/topic/security/


Subject: Trafficking and Money Laundering: Strategies Used by Criminal Groups and Terrorists and Federal Efforts to Combat Them
Source: U.S. GAO
https://www.gao.gov/products/gao-22-104807

We reviewed how transnational criminal organizations and terrorist groups traffic goods such as illegal drugs, engage in human trafficking, and launder money. We also looked at the information sharing used to help detect these activities. Responsibility for combating trafficking is spread across multiple federal agencies. Agencies collaborate via task forces that share information and resources with each other, the private sector, and foreign counterparts. The U.S. Treasury Department, for example, shares information with more than 160 international financial intelligence agencies.

Topics: Justice and Law Enforcement

Subject: These 6 tips will help you spot misinformation online
Source: Poynter via beSpacific
https://www.poynter.org/fact-checking/2021/these-6-tips-will-help-you-spot-misinformation-online/

MediaWise, Poynter’s digital media literacy program, has expanded to in the U.S. and abroad. But anyone can learn to spot misinformation right now.

Now, more than ever, we need digital media literacy education in the U.S. — to help teens understand the importance of sorting fact from fiction online; teach older Americans how to spot the fake images, memes and doctored videos that fueled the Jan. 6 insurrection and prolonged the coronavirus pandemic; and support Spanish-speakers, who are disproportionately targeted with misinformation.

MediaWise has done all that in 2021, in addition to expanding our Campus Correspondents program, which centers on college students teaching other college students how to spot misinformation online. And we end the year with plans to take our digital media literacy training global with courses available through WhatsApp in Brazil, Spain and Turkey.

But, right now you might be thinking: “Hey, this sounds great, but here I am on Poynter.org, arguably the greatest journalism website in history — why can’t you just tell me right now how to avoid misinformation?”

You’re in luck. Here are six tools and techniques you, your friends (or enemies) and family can use to make a dent in the false information flowing on the internet today.


Subject: Bots are stealing Christmas!
Source: Help Net Security
https://www.helpnetsecurity.com/2021/12/24/malicious-automation-trends/

Malicious automation trends:

  • 4x increase in automated online gift card lookup attempts
  • 10x increase in malicious login attempts due to credential stuffing
  • Discovery of a new type of sophisticated all-in-one bot (AIO) used prominently during hype drop sales that is more efficient and effective than its predecessors
  • Majority of Black Friday bad bots come from the USA, followed by Australia and the UK

“As we approach 2022, the frequency and severity of bad bots continue to threaten online businesses,” said Sam Crowther, CEO, Kasada. “The level of sophistication we are witnessing within the botting community is at an all-time high as they continue to collaborate and improve upon their methods to conduct online fraud and generate profits through the use of malicious automation.”

Posted in: Big Data, Business Research, Cybercrime, Cybersecurity, Data Mining, Economy, Email Security, Financial System, Healthcare, Privacy, Spyware, Technology Trends