Pete Recommends Weekly highlights on cyber security issues, January 2, 2022

Subject: Data assessment, user consent key to compliance with China law
Source: ZDNet

International businesses that process information from China should obtain user consent and establish a data map, so they do not run afoul of the country’s Personal Information Protection Law (PIPL). Specifically, they should look closely at cross-border data flow and residency, even as more clarity still is needed on some components in the new legislation.

Organisations that already are set up to comply with Europe’s General Data Protection Regulation (GDPR), though, have a good foundation on which to work towards PIPL adherence.

Passed in August, the Chinese legislation came into force last month, laying out ground rules around how data should be collected, used, and stored. It outlines data processing requirements for companies based outside of China, which included passing a security assessment conducted by state authorities.

Multinational corporations (MNCs) that move personal information of the country also will have to obtain certification on data protection from professional institutions. The Chinese government described the legislation as necessary to address the “chaos” created, in which online platforms had been excessively collecting personal data.

Because it was modelled broadly after GDPR, enterprises that had readied themselves for the EU data protection legislation would be better placed to prepare for PIPL compliance.


Topic: Security

Subject: Privacy-focused search engine DuckDuckGo grew by 46% in 2021
Source: BleepingComputer

The privacy-focused search engine DuckDuckGo continues to grow rapidly, with the company now averaging over 100 million daily search queries and growing by almost 47% in 2021.

Unlike other search engines, DuckDuckGo says they do not track your searches or your behavior on other sites. Instead of building user profiles used to display interest-based ads, DuckDuckGo search pages display contextual advertisements based on the searched keywords.

This means that if you search on DuckDuckGo for a television, that search query will not be used to display television ads at every other site you visit.

Furthermore, to build their search index, the search engine uses the DuckDuckBot spider to crawl sites and receive data from partners, such as Wikipedia and Bing. However, they do not build their index using data from Google.

However, as people continue to become frustrated with how their data is being used by tech giants like Google, Facebook, Microsoft, and Apple, we will likely see more people switch to privacy-focused search engines.


Subject: The dangers of dark data: How to manage it and mitigate the risks
Source: TechRepublic

“Employees also use company-appointed laptops for everything from video calls to sharing documents and accessing email,” Remmington said. “This creates an excessive amount of dark data that looms in company storage. In addition, employees may copy centralized content to their local laptops and not upload it after altering it.”

Remmington believes that the problem with the growing amount of dark data will always be managing it and making sure it’s revisited and leveraged appropriately for business intelligence and governance purposes. Additionally, when employees leave the business, enterprises risk a loss of intellectual property or corporate memory by missing dark data.

How serious is the risk of not managing dark data?


See also

Subject: Tips for providing digital security benefits to employees
Source: TechRepublic

The realm of company-provided benefits is expanding as companies elect to offer more comprehensive forms of protection to their employees. Medical, dental, disability and life insurance have long been staples, with vision and healthcare spending plans being added to the mix. Now we may take advantage of pet insurance, wellness benefits and a new addition: digital security benefits. Digital security benefits seek to protect employees (and their children) from online predators engaging in attempted identity theft or the harvesting of credentials/account information. This can help both the employee and the business since, as describes, identity theft can result in the loss of six months and 100 to 200 hours of work, increased emotional distress levels and a consumer average cost of $1,343 per identity theft incident.

Phil Albinus of Human Resource Executive quoted Kristin Lewis, SVP of Product and Strategy, Employee Benefits at Aura, who said the benefit entails implementing protection services that “monitor for the unauthorized use of employees’ personal identifiable information, such as Social Security numbers, bank account details, passwords, medical information and related information. A digital security solution would alert employees whose information is being used so they can take the appropriate action — whether it’s changing a password, freezing accounts or addressing fraudulent unemployment claims — to ensure their information is safe.”

Lewis offered the following tips on introducing a digital security benefits program:

Subject: LastPass Says It Didn’t Leak Your Password
Source: Gizmodo

Did LastPass get hacked? Some users of the popular password manager recently received emails from the company warning them of suspicious login attempts that were utilizing their master password—definitely never a great sign. Speculation soon spread that LastPass may have suffered a data breach that exposed users’ credentials, thus allowing for the malicious activity to take place. The news first blew up on the popular forum Hacker News before spreading to Twitter…

But is there any validity to the claims against LastPass? According to LastPass itself, the answer is: We don’t think so. When reached for comment by Gizmodo, the company provided us with a statement blaming the irregular activity on “credential stuffing” attempts by some unknown threat actor:

So, according to the company, they haven’t seen any evidence that they leaked users’ data, or that a hacker has even successfully gotten its hooks into users’ accounts. If you’re a LastPass user and that sounds like cold comfort, a good step to take would be to activate multi-factor authentication as an additional protection—probably a good thing to do anyway.


Subject: The Worst Scams of 2021

We’ve covered a lot of scams over the last year. Take a look at some of the worst below and learn how to avoid them.

It’s been one heck of a year. Between massive security breaches and new COVID variants, it’s safe to say it’s been a year of protecting yourself. Unfortunately, the world of cybercrime hasn’t taken a break during the pandemic, which means that staying vigilant while online is more important than ever. In fact, in just the first four months of 2021, the US was already experiencing 25% more digital fraud than the previous year, and it didn’t get much better from there. As the consequences of poor cybersecurity continued to become a part of everyday online life, and to paraphrase GI Joe, understanding how they work is half the battle.

Over the course of the year, has covered a wide range of scams, from ransomware and phishing attacks to fake vaccine surveys and cryptocurrency hacks. In this article, we’re going to round them all up to help you understand that 2021 was a year full of scams, so you know how to avoid them in the new year

How to Protect Yourself Online – All those tools are great, but your most valuable asset when it comes to cybersecurity is your own vigilance. If you take a closer look, most scams are incredibly easy to spot, as long as you take the time to do so. Good luck out there, and we’ll see you in the 2022 with a whole new batch of scams!

Subject: Hackers Are Getting Better At Defeating 2FA Security
Source: Gizmodo

Two-factor authentication is a widely used and trusted security mechanism, but criminals are increasingly using malicious toolkits that can outwit it.Two-factor authentication, or 2FA, has been sold to web users as one of the most important and trustworthy tools for securing your digital life. You probably know how it works: By supplying an account with not just your password but also a secondary piece of information (typically an automated code texted to your phone or device of choice), companies can verify that whoever signs into your account is definitely you and not just some goon who’s managed to get their hands on your personal information.

However, according to new research, said goons have unfortunately found a number of effective ways to get around your 2FA protections—and they’re using these methods more and more.

The study, put out by academic researchers with Stony Brook University and cybersecurity firm Palo Alto Networks, shows the recent discovery of phishing toolkits that are being used to sneak past authentication protections. Toolkits are malicious software programs that are designed to aid in cyberattacks.


Subject: 5 Cybersecurity Trends to Watch in 2022
Source: Threatpost
Here’s what cybersecurity watchers want infosec pros to know heading into 2022. No one could have predicted the sheer chaos the cybersecurity industry would experience over the course of 2021. Record-annihilating numbers of ransomware attacks, SolarWinds’ supply-chain havoc and most recently, the discovery of Log4j by…Minecraft gamers. All of it would have sounded too wild for real life a short year ago. Yet here we are.

Predictions about the year ahead seem audacious considering the last 12 months, so instead, Threatpost talked to industry experts and developed this list of the five top trends to watch in 2022.


Subject: Facebook, Google, Apple, and others face a growing whistleblower movement
Source: Vox

Big Tech’s own employees are one of the biggest checks on its power. Inside the growing whistleblower movement that’s holding tech giants accountable for their missteps.

These employees — a mix of public whistleblowers and internal activists — often risk their careers and reputations to alert the public to problematic behavior at the companies they worked for. Some of them are blue-collar workers who take even greater risks to speak out because they have less financial and professional security than corporate employees. But they keep coming forward, as more disillusioned tech workers become convinced they have the unique insights that will force powerful tech giants to face public accountability for their missteps.

To understand why these workers spoke up — and how that impacted their own lives and the world since they did — Recode interviewed almost a dozen recent whistleblowers and employee activists in tech, from Frances Haugen to Chris Smalls, a former Amazon warehouse manager who is now helping lead a movement to unionize the company’s blue-collar workers.

“A few years ago, it was very rare to read about somebody inside a big tech firm speaking up publicly, both at the top and at the bottom. The tide has turned,” said William Fitzgerald, a partner at communications firm The Worker Agency, which specializes in representing workers and whistleblowers in the tech industry.

Even a few years ago, it was a lonelier world for would-be tech whistleblowers. But as more whistleblowers and activists have come forward, they’ve begun building a community that can offer support to conflicted employees.

Will this lead to real change? All this activism and whistleblowing has inarguably shined a glaring light on the problems in the tech industry.

Subject: T-Mobile says new data breach caused by SIM swap attacks
Source: BleepingComputer

SIM swapping (also known as SIM hijacking) makes it possible for attackers to take control of a target’s mobile phone number by tricking or bribing the carrier’s employees to reassign the numbers to attacker-controlled SIM cards.

This enables the threat actors to take control of their victims’ phone numbers and use them to bypass SMS-based multi-factor authentication (MFA), steal their credentials, log into the victims’ bank accounts to steal money, or hijack their online accounts by changing the passwords.

All T-Mobile customers be on the lookout for any suspicious text messages or emails pretending to be from T-Mobile. Don’t click any links if you receive one, as attackers could use them to harvest your credentials.

T-Mobile provides information on preventing account takeover attempts on this support page.

The FBI shared guidance on defending against SIM hijacking attacks following an increase in the number of SIM hijacking attacks targeting cryptocurrency investors and adopters.

The Federal Trade Commission (FTC) has info on securing personal information on your phone and keeping personal info secure online.


Subject: Instagram copyright infringment scams – don’t get sucked in!
Source: Naked Security

As you can imagine, cybercriminals have learned how to use copyright infringement notices as bait in phishing scams.

By pretending to be a social network such as Instagram, they try to scare you into thinking that there’s an official copyright complaint against you..

…whilst at the same time giving you a quick and easy way of replying to repudiate the complaint.

The criminals know that the complaint is totally bogus, and they know that you know it’s bogus.

But instead of leaving you to realise that it’s bogus because there was no complaint in the first place, they trick you into thinking that the complaint was real, but that the bogus part was the accusation made by the complainer.

To do this, they don’t accuse you themselves, and they don’t threaten to sue; instead, they offer you an easy way to “prove” your “innocence” by providing a link to object to the “complaint”.

While we hope that you’d spot an email scam of this sort right away, we have to admit that some of the copyright phishes we’ve received in recent weeks are much more believable – and better spelled, and more grammatical – than many of the examples we’ve written about before.

RSS feed:

Subject: Women Report from the Frontlines of Federal Cryptocurrency Governance
Source: Nextgov

Over the course of 2021, Congress and the administration have recognized significant benefits from diving into the technology, a trend that looks poised to continue.The stereotype of cryptocurrency savviness being male dominated—think “bitcoin bro” — may hold validity in Silicon Valley, but it doesn’t seem to ring true on the government side.

“I just see women kind of owning crypto, especially on the government fronts like in a really wonderful way across the agencies, whether it’s the IRS or all the different components of Treasury that are looking at virtual currency because there’s a lot that look at it from different perspectives,” said Carole House, director of cybersecurity at the National Security Council. “There’s always women in the room. It is something where I think that diversity generally, and that particular aspect of diversity is continuing to grow and it’s just really encouraging to see.”

House was participating in a panel discussion of “women in crypto” hosted in spring by the firm Chainalysis, which aims to help governments and other entities like insurance and cybersecurity companies investigate crimes and “grow consumer access to cryptocurrency safely.”

Agencies are already moving ahead. In September, the IRS issued a request for proposals to apply new research on physical devices for cryptocurrencies that they say could be crucial to investigations.


Subject: US Still Lacks Federal Cyber Strategy After Decades of Attempts
Source: Nextgov

Despite starts and stops dating back to the early 1990s and frequent references to a national strategy, U.S. cybersecurity remains in jeopardy from the lack of a comprehensive plan that includes accountability to specific outcomes, according to a leading official from the Government Accountability Office. “The reality is that every administration, honestly since the Clinton administration, has applied effort and priority to trying to coalesce some sort of national strategy—maybe it’s in different shapes and forms, may be in several documents or one—but no one has gotten all the way there and we definitely have not gotten to the point of actually executing a strategy,” said Nick Marinos, a director of information technology and cybersecurity at GAO.

Marinos was participating in a Dec. 9 event Government Executive hosted on the discipline of enterprise risk management, something federal agencies are required to practice in the development of their individual priorities. Agencies’ risk management activities are guided by technical guidance from the National Institute of Standards and Technology, but Marinos said they should also have a big-picture reference to who’s responsible for what outside of their own operations.

“The Trump administration, they did have a national cyber strategy,” he said. “It had an implementation plan that laid out almost 200 specific activities, who was responsible for what and so there were some good bones to it. But when we went in and looked at these documents, we found a lot of the things that we end up seeing when we go to the agency level on cyber risk, which was a lack of clarity on who’s ultimately responsible for checking up on whether we were actually fulfilling these activities.”


Posted in: Comparative/Foreign Law, Congress, Copyright, Cybercrime, Cyberlaw, Cybersecurity, KM, Legal Research, Privacy, Social Media, Spyware, Technology Trends