Pete Recommends Weekly highlights on cyber security issues, February 5, 2022

Subject: Best Password Manager Reviews
Source: Consumer Reports

We evaluated 11 services for digital security, privacy, and ease of use. Passwords are great, but they have their drawbacks, too. It’s really hard to come up with random, unique passwords for dozens of accounts, as security experts recommend, and then commit all of them to memory.

That’s why people tend to reuse the same easy-to-crack passwords again and again, leaving themselves more vulnerable to hacking and identity theft. Don’t do that, security experts say. Just sign up for a password manager.

A service like this will create a new, complex password for each of your online accounts, storing the whole lot in a digital vault protected by a single master password. When you decide to access, say, your retirement savings account, the password manager can log you in, much like those universal log-in privileges provided to Facebook and Google account holders. The problem is there’s no easy way to know which password manager to choose. They all sound good, but are they all created equal?

Subject: The modern workplace: Will remote tech workers tolerate being monitored?
Source: ZDNet via beSpacific

ZDNet – “The same technologies that enable people to work from home can be used to watch them work. A survey finds widespread use of monitoring software and not everyone is told it is there…For work at home advocates the future looks rosy. With the current jobs boom it looks certain that they’ll get what they want – either at their current employer — or somewhere else. But will workers agree to allow their employer to monitor their home office activities? Is it something that can be refused or not? How is the home different from the office where people can be seen to be working at their desks, engaged in meetings, and logging into their IT systems? Do remote workers have a right to refuse to be monitored? released a survey late last year that found widespread use of remote worker monitoring software especially in IT (77%) and advertising (83%). One in seven workers hadn’t been told about it. Working from home might not be such a wonderful thing when you consider that people worked harder – a 10% boost in productivity was reported in the survey after the software was installed…”

[My quick perusal of this article did not indicate if video or audio were involved? and if so, if eavesdropping laws applied; also if non-workers were present e.g., children /pmw1]

Subject: FBI Considered Buying NSO’s Phantom Spyware That Can Hack US Phones: Report
Source: Gizmodo

The Federal Bureau of Investigation spent two years considering whether it should procure a clandestine commercial spyware tool that could reportedly hack any phone within the United States, according to an investigation by New York Times Magazine.

That spyware system, dubbed “Phantom,” was offered secretly to U.S. government agencies by the NSO Group, Israel’s notorious cyberweapons distributor, over a multi-year period between 2019 and last summer. According to the Times, the potential business relationship was negotiated even as NSO increasingly became the subject of controversy, with critics accusing it of aiding human rights abuses in nations around the world.

The American government was reportedly interested in Phantom because NSO’s primary spyware, Pegasus, does not work on U.S. telephone numbers and therefore couldn’t be wielded in law enforcement investigations. The paper reports:


Subject: Global IT services outage at State Department resolved
Source: fedscoop

The State Department resolved its global IT services outage around 1 a.m. EST Friday, a spokesperson told FedScoop.

A defect found in a recently deployed operating system patch caused the disruption to applications including unclassified email, which affected “many users” around the department Thursday, the spokesperson said.

Employees began reporting their email was down Thursday morning, stoking fears of a possible cyberattack. The affected applications are now operating normally.

-In this Story-
email, information technology, outage, State Department

Subject: Democratic Lawmakers Call for Ban of Surveillance Advertising
Source: Nextgov

Sen. Cory Booker and Rep. Anna Eshoo asked the Federal Trade Commission to consider prohibiting targeted advertising through personal user data.

Democratic lawmakers Sen. Cory Booker, D-NJ, and Rep. Anna Eshoo, D-Calif., penned a letter to the Federal Trade Commission requesting that the agency place limitations on surveillance advertising across digital platforms.

Surveillance advertising is the practice of using users’ personal data, sometimes called ‘cookies,’ to inform what advertisements are deployed to unique users. Using these targeted techniques has become a staple in online advertising, with paid advertisements offering a source of revenue to hosting websites.

“The surveillance advertising business model is premised on the unseemly collection and hoarding of personal data to enable ad targeting,” the letter reads. “Companies collect huge amounts of data to maximize user engagement because it increases ad revenue.”

Booker and Eshoo also pointed out the use of targeted advertisements as a way foreign entities or adversaries can collect Americans’ data. The lawmakers reference tracking data and targeted ads promoting misinformation as two areas of concern.

The letter follows a bill introduced on Jan. 18 by Booker and Eshoo that would outlaw surveillance advertising, called the Banning Surveillance Advertising Act. The pending legislation would formally outlaw the practice, notably prohibiting advertisers from using personal user data related to sensitive information like race, gender or religion.


Subject: VA inks cybersecurity deal with Palo Alto Networks
Source: Becker’s Health IT

The Department of Veterans Affairs inked a cybersecurity deal with Palo Alto Networks to secure its Internet of Medical Things, EHR modernization program and remote workforce.

Palo Alto Networks’ remote access solution will be used to secure the remote workforce expansion, according to a Jan. 25 press release.

The cybersecurity deal will also include next-generation security technology for the EHR modernization program, which aims to give veterans seamless access to healthcare, and automated visibility into the VA’s network of IoMT devices.

The multiyear agreement will ensure veterans have secure access to healthcare



Subject: Businesses Should Look Out For These Three Payment Fraud Trends in 2022

A new report out from Outseer has identified more than 56,000 payments fraud attacks worldwide across Q3 2021, which is up 14% from the past quarter and marks a 29% year-over-year increase compared to Q3 2020.

Brand abuse attacks, where scammers purport to be reputable and recognisable companies, are on an impressive surge, as they grew 274% year-over-year in Q3 2021 to account for 45% of all attacks the team identified for their report.

But the most interesting element of the year-end summary are the top trends that payments fraud researchers predicted would grow and thrive across 2022. Small businesses — and anyone else who uses digital payments — should know what they are and how to spot them. Here’s our rundown.


Sample RSS feed for a tag:

Subject: Security agency director urges governors to teach cybersecurity basics

WASHINGTON, Jan. 29 (UPI) — As the nation’s governors consider how to spend funds from President Joe Biden’s bipartisan infrastructure law, the Cybersecurity and Infrastructure Security Agency is encouraging investments in cybersecurity education for Americans of all ages, including public officials and their staffs.

“What we want to do is communicate about this topic in a way where people are not scared to death of it,” CISA Director Jen Easterly said Saturday at the National Governors Association winter meeting.

The $1 trillion bipartisan infrastructure law, signed by the president in November, allocates $1 billion in grant money for states to bolster their cyber defenses. As each state is assessing its individual needs, cybersecurity experts are encouraging partnerships with the private sector and nationwide improvements in cyber literacy.

According to CISA, more than 99% of all cyberattacks could have been prevented withmulti-factor authentication, a simple security measure that requires the user to present two or more forms of identification to gain access to their account.

CISA released a resource guide Friday that outlines how state government officials can request federal support in response to future cyber threats. …

See also:

Subject: Powerful Spy Tool Sits Unused in a New Jersey Building
Source: Newser

‘NYT Magazine’ digs into Pegasus, a mighty cyberweapon made by an Israeli company.

(Newser) – The US is in possession of what’s described as the world’s most powerful spy tool, a revelation that in and of itself is not too surprising. This part might be: The tool is sitting unused in a New Jersey building because the FBI doesn’t have authorization to deploy it—and that authorization might never come. The unusual situation is described in this weekend’s New York Times Magazine by Ronen Bergman and Mark Mazzetti, whose story is the culmination of a yearlong investigation into cyberwarfare. The piece focuses on Pegasus, surveillance software sold by the Israeli company NSO Group. But this isn’t just any software: Pegasus can “consistently and reliably crack the encrypted communications of any iPhone or Android smartphone,” meaning governments don’t need the cooperation of Apple or other tech firms, per the story.

Subject: Welcome to Identity Theft Awareness Week 2022
Source: FTC Consumer Information blog

Today we’re kicking off Identity Theft Awareness Week 2022. Identity thieves have been busier than ever during the pandemic, with scammers and identity thieves after people’s information to apply for credit, unemployment benefits, file taxes, buy things, or get medical services. But there are some things you can do to protect yourself, and this week, you’ll learn how. For details on the week’s webinars, podcasts, and Facebook Live programs, as well as how to participate, visit Identity Theft Awareness Week 2022. Then join us on Friday, when we’ll wrap up with a Twitter chat discussing identity theft trends, advice on spotting and avoiding identity theft, and how to recover. ..

Blog Topics: Privacy, Identity & Online Security, Identity Theft

Scam Tags: Avoiding Scams

Subject: 277,000 routers exposed to Eternal Silence attacks via UPnP
Source: Bleeping Computer

A malicious campaign known as ‘Eternal Silence’ is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors.

UPnP is a connectivity protocol optionally available in most modern routers that allows other devices on a network to create port forwarding rules on a router automatically. This allows remote devices to access a particular software feature or device as necessary, with little configuration required by a user.

However, it is yet another technology that trades convenience for security, especially when the UPnP implementation is potentially vulnerable to attacks allowing remote actors to add UPnP port-forwarding entries via a device’s exposed WAN connection.

Researchers from Akamai have spotted actors abusing this vulnerability to create proxies that hide their malicious operations, calling the attack UPnProxy.

Out of 3,500,000 UPnP routers found online, 277,000 are vulnerable to UPnProxy, and 45,113 of them have already been infected by hackers.


Subject: Getting facial recognition right
Source: GCN

To realize the benefits of facial recognition while maintaining ethical integrity, agencies must ensure systems’ accuracy, security and resistance to bias.

Privacy concerns around the use of biometrics, particularly facial recognition, often stem from ambiguous consent and transparency issues.

We believe organizations must have facial recognition policies and procedures that are clear and consent-based. They should have easy opt-in and opt-out options and be transparent about what information is being collected and how it is being used. This enables users to “own their identities” and helps them feel secure in how organizations are using their data.

We also believe, however, there is one exception where the consent-based approach should not be binding — and that is for specific homeland security, law enforcement and public safety use cases. U.S. federal agencies and law enforcement operations have had some great successes with facial recognition, and we believe few would question the integrity or permissibility of these.

Is there a way to realize the benefits of facial recognition while maintaining ethical integrity? The answer is yes — by putting the proper guardrails in place:

Other articles on Biometrics:

Subject: Hackers Spoof Post Office Notices To Spread Notorious Trickbot Malware
Source: Forbes

Keep an eye on your email for messages from the U.S. Postal Service claiming that you’ve missed an important delivery. Cybercriminals are abusing the public’s trust in the USPS to trick victims into installing the resurgent Trickbot malware.


[click on LATEST tab on the LH side]

Subject: Academic Journal Claims it Fingerprints PDFs for ‘Ransomware,’ Not Surveillance
Source: Vice via beSpacific

Vice: “One of the world’s largest publishers of academic papers said it adds a unique fingerprint to every PDF users download in an attempt to prevent ransomware, not to prevent piracy. Elsevier defended the practice after an independent researcher discovered the existence of the unique fingerprints and shared their findings on Twitter last week. “The identifier in the PDF helps to prevent cybersecurity risks to our systems and to those of our customers—there is no metadata, PII [Personal Identifying Information] or personal data captured by these,” an Elsevier spokesperson said in an email to Motherboard. “Fingerprinting in PDFs allows us to identify potential sources of threats so we can inform our customers for them to act upon. This approach is commonly used across the academic publishing industry.” When asked what risks he was referring to, the spokesperson sent a list of links to news articles about ransomware. However, Elsevier has a long history of pursuing people who pirate or share its paywalled academic articles. In 2015, …

NB Vice tags:


Subject: How to Protect Yourself From Common Scams
Source: Consumer Reports

Like Chavez, a growing number of Americans are falling victim to scams. The first three quarters of 2021 saw 2.1 million reports of fraud, putting it on a par with all of 2020, according to the Federal Trade Commission. And in a November 2021 nationally representative Consumer Reports survey (PDF) of 2,057 American adults, 95 percent said they had received communication in the previous 30 days that they believed to be fraudulent. Almost half of Americans reported getting six or more phony messages in a typical week.

The pandemic—and all the time people have been spending online, where scammers can target them by text, email, and social media—likely plays a role. In addition, “the scam landscape has changed,” with international criminal organizations increasingly in the mix, says Kathy Stokes, director of fraud prevention programs at the AARP. “They’ve got offices and employees, and lead lists that they buy off other scammers.”

But no matter how sophisticated scammers are, there’s plenty you can do to help protect yourself. Here, how to spot some top scams, what to do if you’ve been targeted, and how to avoid fraudsters in the future.

Subject: Lawmakers call for increased federal authority to combat COVID-19 scams

Feb. 1 (UPI) — Senate lawmakers on Thursday said the federal government must do more to prevent price gouging and other scams targeting consumers seeking protection against COVID-19.

During a hearing titled “Stopping COVID-19 Fraud and Price Gouging” on Thursday afternoon, Sen. Richard Blumenthal, chair of the Senate subcommittee on consumer protection, product safety and data security, said he has received 800 reports of price gouging in his state of Connecticut alone while stating a “lack of sufficient authority” in the federal government is a major cause of the problem.

“There is a glaring lack of enforcement at the federal level,” Blumenthal, D-Conn., said. “The federal government, including the Federal Trade Commission and the Department of Justice have few legal tools to hold price gougers accountable. That is a glaring gap in the law that needs to be corrected.”

Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said the agency has taken steps to combat price gouging and fraud, including engaging law enforcement to stop and deter COVID-related scams, collecting and analyzing data to identify consumer fraud trends and using social media and other forms of outreach to educate consumers.

He added, however, that the “battle remains uphill so long as the digital platforms continue to wash their hands of the fraud that they are facilitating,” referring to both social media companies and online marketplaces which he said avoid responsibility for such fraud under Section 230 of the Communications Decency Act.

Subject: Google Makes Opting Out Harder for Workspace Customers
Source: Gizmodo

Heads up for all the Google Workspace users out there: starting at the end of next month, you’re going to need to take a few extra steps to delete your data off the platform.

Historically, Google users have been been able to tweak the ways the tech giant tracks them across the web using their “Web & Activity Settings,” which lets any Googler—on Workspace or otherwise—turn off the company’s ability to track their activity across different sites and services, their location, and more. Workspace admins were also able to automatically flip on and off activity tracking for the users in their organization.

That’s all changing on March 29th, according to a new FAQ posted on Google’s Workplace administrator forum. At the end of that month, the company will be adding a new feature—“Workspace search history”—that can continue to track these customers, even if they, or their admins, turn activity tracking off.

The worst part? Unlike Google’s activity trackers that are politely defaulted to “off” for all users, this new Workplace-specific feature will be defaulted to “on,” across Workspace apps like Gmail, Google Drive, Google Meet, and more.


Subject: Fraudsters set to pounce on massive infrastructure money
Source: GCN

State and local governments need to proactively monitor the spending of infrastructure funds and not wait until after a project is underway to conduct audits or identify risks.

Fraudsters stand to siphon off $120 billion or more of the federal infrastructure money flowing to states and local governments for roads, bridges, broadband and other projects over the next five years, some experts predict.

At least 10% of the total $1.2 trillion in infrastructure funding could be used fraudulently, estimates Stephen Street, president of the Association of Inspectors General, a nonprofit membership group.

“Our experience has always been when you have a large amount of money—and this is pretty gargantuan—there will be an element of fraud built in,” said Street, who also is Louisiana’s inspector general. “It will take many forms: false documentation, being reimbursed for monies never spent, phony records.”

While federal agencies ultimately are responsible for how the money gets spent, it will fall to states, cities and counties awarding contracts to oversee everything from the bidding process to the quality of the work, say auditors and watchdog groups.

“Monitoring is critical. You have to have somebody looking,” Street said. “Once you award a contract for a transportation project, is it being honored? Is there fraud in the area of specs, materials, inspections? Is the company real?”

Subject: Bill seeks to criminalize dangerous drone activity
Source: Homeland Preparedness News

U.S. Sens. Bill Cassidy (R-LA), Chuck Grassley (R-IA), and Mark Kelly (D-AZ) introduced this week the Drone Act of 2022, which seeks to criminalize dangerous drone activity, including actions of drug and human traffickers embracing drone technology to facilitate operations.

The legislators noted that criminals have begun attaching weapons to drones, posing national security and public safety concerns.

“From the southern border to cities across the country, criminals are using drones to smuggle drugs, weapons and commit crimes that put Americans at risk,” Cassidy said. “We must confront this new threat.”

Posted in: AI, Congress, Cybercrime, Cybersecurity, Economy, Education, Financial System, KM, Legal Research, Legislative, Privacy