Pete Recommends – Weekly highlights on cyber security issues, April 2, 2022

Subject: The real scandal behind ex-Google CEO Eric Schmidt paying for Biden’s science office
Source: Vox recode

Former Google CEO Eric Schmidt has faced a backlash since Politico reported earlier this week that he indirectly funds and wields unusually heavy influence over an important White House office tasked with advising President Joe Biden’s administration on technical and scientific issues.The ethical concerns surrounding this news are glaring: A tech billionaire with an obvious personal interest in shaping government tech policy is giving money to an independent government agency devoted to tech and science, albeit through his private philanthropic foundation.

The real scandal, however, is that a government office needed philanthropic aid to fund its work in the first place, creating an ethical quandary over potential conflicts of interest.

“It’s not that [Schmidt] shouldn’t have a seat at the table,” Goodman said. “It’s that we can’t just outsource our problems to billionaires who are always going to have conflicts of interest.”


Subject: Why digital ID for airport check-in is taking so long
Source: GCN

Several states have experimented with mobile driver’s licenses (mDLs), but there are many considerations to address before the technology can be used at airport security checkpoints and more widely adopted, according to the Department of Homeland Security.To ensure that the process is secure and interoperable, DHS described how its Science and Technology Directorate (S&T), the National Institute of Standards and Technology and the Transportation Security Administration are working to develop an mDL framework that has security, privacy and authentication features that will work for DHS use cases.

Three groups are involved in the issuance and use of mDLs: state licensing agencies, the end users and the government agency or business that requires photo IDs to verify identities.

That means mDLs require an ecosystem that includes users, their phones, the authenticated digital ID, reader devices, cyber infrastructure, privacy standards and secure data transfer. In the absence of physical security measures, these components will support the provisioning, issuance, acceptance, updating and authentication of mDLs, officials said.

TSA, for its part, is developing a system to authenticate mDLs using a public key infrastructure framework – a set of roles, policies, hardware, software and procedures that govern the creation, management, distribution, usage, storage and revocation of digital certificates and management of public-key encryption – at its security checkpoints, according to DHS.

Subject: Postal inspectors’ digital intelligence team sometimes acted outside of legal authorities, report says
Source: FedScoop

An internet intelligence and analytics support team for postal inspectors overstepped its legal authority in some cases, according to the inspector general for the U.S. Postal Service.The Analytics Team, known until April 2021 as the Internet Covert Operations Program (iCOP), occasionally used open-source intelligence tools beyond the Postal Inspection Service’s legal authorities, and its record-keeping about some of that activity was inadequate, according to the March 25 report by the Office of the Inspector General for the USPS.

As part of their work assisting postal inspectors, the analysts conducted “proactive searches” for publicly available information online that could help root out postal crimes, the report says, but in some cases they used keywords that did not have a “postal nexus” — that is, “an identified connection to the mail, postal crimes, or the security of Postal Service facilities or personnel.”

-In this Story-
cybercrime, data analytics, Inspector General, intelligence, law enforcement, open source, Postal Inspection Service, Social Media, United States Postal Service (USPS)

Subject: Hackers Are Impersonating Police to Subpoena People’s Data
Source: Gizmodo

In recent years, it’s become alarmingly routine for law enforcement agencies to subpoena tech platforms for user data—a practice that some critics see as an invasive privacy violation. Criminals are taking note, and now they’re doing it, too.Security blogger Brian Krebs reports that hackers have been hijacking law enforcement email accounts and using them to submit phony data demands to tech companies. The ploy has been working—hoodwinked firms have handed over troves of user information to crooks by accident.

Krebs details a recent incident in which cybercriminals took over the email account of an unnamed law enforcement agency. The hackers then used the account to submit a data request to chat platform Discord, asking for information on an 18-year-old user from Indiana. Discord fell for it and forked over the data.

The way that criminals have managed to get away with this innovative exploit is by taking advantage of a special kind of government subpoena, called an Emergency Data Request, or EDR. Such subpoenas are meant filed in life or death scenarios where information is needed immediately and the delay of court approval would lead to grave consequences. As such, EDRs do not require the typical internal review that companies are supposed to carry out with normal data requests. Mark Rasch, a former Justice Department prosecutor, told Krebs that an EDR amounted to an “emergency process, almost like you see on Law & Order, where they say they need certain information immediately” and tech companies tend to dutifully respond.


Subject: Mitigating Attacks Against Uninterruptable Power Supply Devices
Source: CISA

CISA and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords. Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet.Organizations can mitigate attacks against UPS devices by immediately removing management interfaces from the internet. Review CISA and DOE’s guidance on mitigating attacks against UPS devices for additional mitigations and information.

Subject: FCC Adds Kaspersky and Chinese Telecom Firms to National Security Threat List
Source: The Hacker News

The U.S. Federal Communications Commission (FCC) on Friday moved to add Russian cybersecurity company Kaspersky Lab to the “Covered List” of companies that pose an “unacceptable risk to the national security” of the country.The development marks the first time a Russian entity has been added to the list that’s been otherwise dominated by Chinese telecommunications firms. Also added alongside Kaspersky were China Telecom (Americas) Corp and China Mobile International USA.

The FCC’s decision also mirrors an advisory released by Germany’s Federal Office of Information Security (BSI) this month against using the company’s security solutions in the country over “doubts about the reliability of the manufacturer.”

Subject: Almost 50M US Residents Lost Health Data in Breaches Last Year

Hacks are behind almost 75% of all breaches, up from just 35% in 2016. Can your organization still stay safe? Nearly 50 million people have lost their personal health data to a breach just in 2021, according to a new analysis of HHS stats from Politico.

Another analysis found that the average data breach in 2021 has cost healthcare organizations about $9.23 million.

Even the healthcare industry breaches don’t tell the whole story: Breaches are a problem across the business world, with a total of 5.9 billion accounts targeted in data breaches last year.

What other causes could be behind the rise in recent years? Politico has a few suggestions:

“Experts say the increased hacking can be attributed to the health care industry’s rapid move to digital, particularly amid the Covid-19 pandemic; an increase in remote work, which allows more avenues for attacks with employees using more personal devices; the financially lucrative information for cybercriminals in health care; and greater awareness of attacks across the industry, thus more reporting.”

What other causes could be behind the rise in recent years? Politico has a few suggestions…


Posted in: Criminal Law, Cybercrime, Cybersecurity, Financial System, Legal Research, Open Source, Privacy, Travel