Pete Recommends – Weekly highlights on cyber security issues, April 23, 2022

Subject: Report Finds Identity Fraud Up 167% In USPS Change Of Address Requests
Source: Nextgov

The USPS Office of the Inspector General recommends stricter identity verification controls online, while management disagrees. Fraudulent changes of address conducted online via digital tools provided by the U.S. Postal Service skyrocketed from 2020 to 2021, linked to cases of ineffective identity verification within the agency’s technology.

Outlined in a new report from the USPS Inspector General, the Postal Service reportedly did not implement stringent enough identity verification controls on its Moversguide page, a website specifically intended to help complete a formal online change of address. This can lead to identity theft with the interception of sensitive information via mail.

USPS management told the third party authors of the report that the Moversguide webpage was initially designed to not implement robust identity verification controls to ensure the request for a change of address is legitimate. The chief recommendation is to implement more effective identity verification technology on the Moversguide application to prevent fraud.


NB PDF Report is 12 pages – Management Alert – Issues Identified with Internet Change of Address Report Number 22-058-R22

Subject: Microsoft Teams Adds an Emergency Call Alert

Microsoft has added yet another feature to its Teams web conferencing platform: Admins are now able to create custom banners to let their team members know if an emergency call is incoming.

It can be easy to miss notifications when knee-deep in a project, and many workers actively try to avoid disruptions.

But any emergency case must be dealt with immediately, and that requires a notification that can cut through the noise. Here’s what to expect from Microsoft Teams’ new function.


Subject: Coming ID order should focus on digital credentials, say trade groups
Source: FCW

Standards for mobile driver’s licenses top the wish list of groups looking to steer the direction of the administration’s action on combating identity theft and fraud.

The government should combat identity theft by encouraging the development and use of digital mobile driver’s licenses and identity attribute validation services by agencies, according to a letter to Biden administration officials from six technology trade groups.

In his State of the Union speech, President Joe Biden pledged to combat fraud in benefits delivery, and according to a White House fact sheet, those efforts include a coming executive order covering identity theft.

In an April 13 letter, six industry groups, including the Better Identity Coalition, the Cybersecurity Coalition and the Technology Engagement Center at the U.S. Chamber of Commerce, urged administration leaders to equip Americans with new tools to protect against identity theft.

The groups want the administration to accelerate the development of mobile driver’s licenses (mDLs), promulgate standards for their security and focus on their use in digital identity proofing rather than as a credential for use in transportation. Early use cases are developing the digital IDs as a substitute for physical identity documents to get through airport security.

“The most urgent problems mDLs can solve are focused in the digital world,” the letter states.
The groups also want to offer Americans a “one-stop shop” that provides support for victims of identity crime as well as assistance for those who have been left out of the identity infrastructure established by the strict requirements of the REAL ID Act of 2005 – including the elderly, youth in foster care, people exiting incarceration and others who may not have access to the documentation required to obtain a state or territorial identification credential due to the restrictions of the post-9/11 legislation.


Subject: What happens to your privacy using TurboTax and H&R Block?
Source: Washington Post

We investigate why Turbo Tax and H&R Block ask you to give up your return’s basic federal privacy protections — and explain how to demand your data back

You may use Turbo Tax or H&R Block online to save money filing your taxes. But did you know that by clicking “agree” to some of their privacy prompts, you may be letting them use you?

An eagle-eyed Washington Post reader pointed me to a curious question he received while starting his taxes with H&R Block online. When you’re setting up your account — after you’ve already agreed to H&R Block’s regular privacy policy — the website asks for permission to also access your data to “optimize your H&R Block experience.”

It goes on: “If you agree to share your tax return details, after you file, we can provide many benefits.” Then it asks you to click agree to two bunches of legalese, one labeled as “personalized services” and the other as “quicker product support.”

What he discovered is a little-discussed evolution of the tax-prep software industry from mere processors of returns to profiteers of personal data. It’s the Facebook-ization of personal finance.


Subject: The FBI is breaking into corporate computers to remove malicious code – smart cyber defense or government overreach?
Source: The Conversation

The FBI has the authority right now to access privately owned computers without their owners’ knowledge or consent, and to delete software. It’s part of a government effort to contain the continuing attacks on corporate networks running Microsoft Exchange software, and it’s an unprecedented intrusion that’s raising legal questions about just how far the government can go. On April 9, the United States District Court for the Southern District of Texas approved a search warrant allowing the U.S. Department of Justice to carry out the operation.

The software the FBI is deleting is malicious code installed by hackers to take control of a victim’s computer. Hackers have used the code to access vast amounts of private email messages and to launch ransomware attacks. The authority the Justice Department relied on and the way the FBI carried out the operation set important precedents. They also raise questions about the power of courts to regulate cybersecurity without the consent of the owners of the targeted computers. As a cybersecurity scholar, I have studied this type of cybersecurity, dubbed active defense, and how the public and private sectors have relied on each other for cybersecurity for years. Public-private cooperation is critical for managing the wide range of cyber threats facing the U.S. But it poses challenges, including determining how far the government can go in the name of national security. It’s also important for Congress and the courts to oversee this balancing act.

The law and the courts – The Computer Fraud and Abuse Act generally makes it illegal to access a computer without authorization. This law, though, does not apply to the government. The FBI has the power to remove malicious code from private computers without permission thanks to a change in 2016 to Rule 41 of the Federal Rules of Criminal Procedure. This revision was designed in part to enable the U.S. government to more easily battle botnets and aid other cybercrime investigations in situations where the perpetrators’ locations remained unknown. It permits the FBI to access computers outside the jurisdiction of a search warrant.

Important legal issues remain unresolved with the FBI’s current operation. One is the question of liability. What if, for example, the privately owned computers were damaged in the FBI’s process of removing the malicious code? Another issue is how to balance private property rights against national security needs in cases like this. What is clear, though, is that under this authority the FBI could hack into computers at will, and without the need for a specific search warrant.


Subject: CISA Releases Secure Cloud Business Applications (SCuBA) Guidance Documents for Public Comment
Source: CISA

CISA has released draft versions of two guidance documents—along with a request for comment (RFC)—that are a part of the recently launched Secure Cloud Business Applications (SCuBA) project:

  • Secure Cloud Business Applications (SCuBA) Technical Reference Architecture (TRA)
  • Extensible Visibility Reference Framework (eVRF) Program Guidebook

The public comment period for the RFC guidance documents closes on May 19, 2022.

In accordance with Executive Order 14028, which is aimed at improving security for federal government networks, CISA’s SCuBA project aims to develop consistent, effective, modern, and manageable security that will help secure agency information assets stored within cloud operations.

CISA encourages interested parties to review the RFC guidance documents and provide comment. See CISA Blog: SCuBA? It means better visibility, standards, and security practices for government cloud for more information and for links to the RFC guidance documents.

Subject: Real-time voice concealment algorithm blocks microphone spying
Source: Bleeping Computer

Columbia University researchers have developed a novel algorithm that can block rogue audio eavesdropping via microphones in smartphones, voice assistants, and connected devices in general.

The algorithm can work predictively. It infers what the user will say next and generates obstructive audible background noise (whispers) in real-time to cover the sound.

For now, the system works only with English and has a rate of success of roughly 80%. The volume of the noise is relatively low, minimizing user disturbance and allowing comfortable conversations.

As real-world tests showed, the system can make speech impossible to discern by automatic speech recognition technology, no matter what software is used and the microphone’s position.

The university’s announcement also promises future development to focus on more languages, where linguistics allows similar performance and make the whispering sound completely imperceptible.


Subject: Companies lose your data and then nothing happens
Source: VOX via beSpacific

Vox: “…High-profile data breaches have been in the headlines for years. In 2013, Target lost the credit card, debit card, and other information of tens of millions of customers. In 2018, Marriott disclosed a data breach that impacted up to 500 million people; in 2020, it got hit again. In 2021, hackers got a bunch of customer information from T-Mobile that the company reportedly tried and failed to get back. The list of breaches goes on and on. Of course, these companies would surely rather not be dealing with these situations — data breaches cost firms millions of dollars and are often accompanied by reputational damage and sometimes fines. At the same time, that doesn’t mean the constant loss of consumer data is acceptable. Sure, we live in the era of the internet, and some security risks are inevitable. But that shouldn’t mean that you have to throw your hands up and accept your data is safe, basically, nowhere. The Targets and Equifaxes of the world got hit with big fines, but they still get to exist — lucratively. And they’re still constantly sucking up and monetizing consumers’ personal information.There’s a simple reason companies collect so much of our data — money — but why they get to collect so much, keep it, and monetize it is more complicated. There are some laws around data privacy and security, but they’re scattershot and generally handled state by state, and they could be better. Companies keep screwing up with our data, and there are no good answers on what to do about it.

Subjects: E-Commerce, E-Records, Health Care, ID Theft, Knowledge Management, Legal Research, Marketing, Privacy

Subject: Cell carriers can use your web history for ads
Source: WaPo via beSpacific

Washington Post: “Here’s how you can opt out of carriers’ ad programs, which run on your personal data. When you signed up for your cellphone plan, your carrier may have signed you up for something extra: a program that uses data including your Internet history to target you with ads. I visited my own Verizon account settings and found that yep, I was enrolled in what the company calls “Custom Experience.” Not only do I have no memory of saying yes, I had no idea wireless carriers were in the business of peeking in on my activities and using that information to market to me. And my blissful ignorance works in the company’s favor…I read privacy policies from the three major wireless carriers — Verizon, AT&T and T-Mobile — and my eyeballs are only bleeding a little. …

Subjects: E-Commerce, Internet, Privacy

Posted in: AI, Conferencing Software, Cybercrime, Cybersecurity, Data Mining, Federal Legislative Research, KM, Legal Research, Privacy