Pete Recommends – Weekly highlights on cyber security issues, July 16, 2022

Subject: Should we be worried about real-time facial recognition systems?
Source: VentureBeat
https://venturebeat.com/2022/07/09/should-we-be-worried-about-real-time-facial-recognition-systems/

Real-time facial recognition systems are no longer speculative – they have become a real-world security solution with several practical, powerful applications. However, the rise of this technology also poses some interesting ethical questions. So, should you be worried about how it will impact daily life? We’ve all seen, and probably scoffed at, thrillers in which intelligence agencies or the police can zoom in on a face in a blurry security video, make the image crystal-clear with the touch of a button and match that face to one of the 7.8 billion people on Earth in seconds. Facebook users might be familiar with the social network’s own facial recognition software, which performs similar searches on users’ photos, and which has recently been shut down “as part of a company-wide move to limit the use of facial recognition in our products.”

However, advancements in the field raise a number of pressing ethical questions, which the sector must be ready to answer as adoption rates rise. In particular, there is growing concern about the potential for these systems to be used by bad actors to commit fraudulent activity. Privacy campaigners also cite worries about the technology, with others wondering if it may be used to impinge on human rights in the near future. So, the question is whether the rest of us should be worried.

…

Topics: Applied AI; Data Decision Makers; Security

Subject: My Thoughts About Google’s New Blog Post Regarding Health-Related Data Privacy
Source: Lauren Weinstein’s Blog
https://lauren.vortex.com/2022/07/01/my-thoughts-about-googles-new-blog-post-regarding-health-related-data-privacy

In my very recent post: Internet Users’ Safety in a Post-Roe World, I expressed concerns regarding how Internet and telecommunications firms would protect women’s and others’ data in a post-Roe v. Wade world of anti-abortion states’ health data demands.

Google has now briefly blogged about this, at: “Protecting people’s privacy on health topics”

The most notable part of the Google post is the announcement of this important change: “Location History is a Google account setting that is off by default, and for those that turn it on, we provide simple controls like auto-delete so users can easily delete parts, or all, of their data at any time. Some of the places people visit — including medical facilities like counseling centers, domestic violence shelters, abortion clinics, fertility centers, addiction treatment facilities, weight loss clinics, cosmetic surgery clinics, and others — can be particularly personal. Today, we’re announcing that if our systems identify that someone has visited one of these places, we will delete these entries from Location History soon after they visit. This change will take effect in the coming weeks.”

Subject: Here’s how North Korean operatives are trying to infiltrate US crypto firms
Source: CNNPolitics
https://www.cnn.com/2022/07/10/politics/north-korean-hackers-crypto-currency-firms-infiltrate/index.html

Now, US federal investigators are publicly warning about a key pillar of the North Korean strategy, in which the regime places operatives in tech jobs throughout the information technology industry.

The FBI, Treasury and State departments issued a rare public advisory in May about thousands of “highly skilled” IT personnel who provide Pyongyang with “a critical stream of revenue” that helps bankroll the regime’s “highest economic and security priorities.”

It’s an elaborate money-making scheme that relies on front companies, contractors and deception to prey on a volatile industry that is always on the hunt for top talent. North Korean tech workers can earn more than $300,000 annually — hundreds of times the average income of a North Korean citizen — and up to 90% of their wages go to the regime, according to the US advisory.

The list of companies targeted by North Koreans covers just about every aspect of the freelance technology sector, including payment processors and recruiting firms, the official said.

In April, a 39-year-old American computer programmer named Virgil Griffith was sentenced to more than five years in US prison for violating US sanctions on North Korea after speaking at a blockchain conference there in 2019 on how to evade sanctions. Griffith pleaded guilty and, in a statement submitted to the judge before sentencing, expressed “deep regret” and “shame” for his actions, which he attributed to an obsession to see North Korea “before it fell.

Subject: Week in review: Quantum-resistant encryption, attackers using deepfakes, Patch Tuesday forecast
Source: Help Net Security
https://www.helpnetsecurity.com/2022/07/10/week-in-review-quantum-resistant-encryption-attackers-using-deepfakes-patch-tuesday-forecast/

Lot’s of linked summaries. Here’s an overview of some of last week’s most interesting news, articles, interviews and videos…

Subject: Deleting files isn’t enough. Here’s how to properly erase hard drives
Source: WaPo via beSpacific
https://www.bespacific.com/deleting-files-isnt-enough-heres-how-to-properly-erase-hard-drives/

Washington Post – “The right software can help. So can some power tools…just because you’ve deleted a file on your computer and emptied the Recycle Bin doesn’t mean it’s gone forever. Making sure those files are properly gone will take some extra work, but if you’re considering donating, selling, or even recycling an old computer with a hard drive in it, it’s absolutely worth putting in the time. “There are so many stories about people buying used computers online and recovering data,” said Andrés Arrieta, director of consumer privacy engineering at the Electronic Frontier Foundation. “It’s kind of scary. It’s all your life there.” If you’re serious about keeping your data away from potentially prying eyes, here’s how to securely erase your old hard drives. For hard drives inside a working computer. If you can actually fire up and use the computer you’re trying to get rid of, consider yourself lucky. With the right software, the process can be mercifully simple. Thankfully, in some cases, the operating system that runs the computer already has everything you’ll need to securely erase the hard drive…”

WaPo filed: https://www.washingtonpost.com/personal-tech/data-privacy/

Subject: Criminals Use Google Ratings in Widespread Extortion Scam
Source: NYT via Newser
https://www.newser.com/story/322847/criminals-use-google-ratings-in-widespread-extortion-scam.html

Newser – A new extortion scam is hitting popular restaurants from coast to coast. According to the New York Times, cyber criminals start by leaving a few one-star Google ratings, followed by an email threatening to continue the bombardment unless the victim forks over a $75 Google Play card. In their message, the extortionists attempt to pull heartstrings, writing, “We sincerely apologize for our actions, and would not want to harm your business, but we have no other choice.” They also explain that they’re from India, where the card’s value is equivalent to three weeks’ income for a family….According to the Houston Chronicle, one area restaurant took advantage of that fact by mustering its loyal fans, who soon countered the extortion attempt with nearly 100 new five-star ratings.

Subject: Amazon gave Ring camera footage to police without owners’ consent 11 times
Source: UPI.com
https://www.upi.com/Top_News/US/2022/07/13/amazon-admits-giving-ring-doorbell-surveillance-videos-to-police-without-owner-consent-privacy-issues/1061657737386/

July 13 (UPI) — Amazon gave Ring doorbell camera footage, without owners’ consent, to police at least 11 times this year, according to findings released Wednesday.Amazon’s admission was made in a letter the online retail giant sent to Sen. Ed Markey, D-Mass., on July 1 after he raised privacy issues over the doorbell cameras.

“Ring’s surveillance system threatens the public in ways that go far beyond abstract privacy invasion,” Markey wrote in June. “Individuals may use Ring devices’ audio recordings to facilitate blackmail, stalking and other damaging practices.”

Amazon, which runs Ring cameras, had previously said the footage is handed over to police only if it is demanded by a court order, if the owner gives their permission or if there is an “emergency.” Amazon said the 11 instances halfway through 2022 were “emergency situations,” which the company defined as “cases involving imminent danger of death or serious physical injury to any person.”

Amazon’s app called Neighbors allows users to post Ring camera footage and leave comments. Amazon currently has agreements with 2,161 police departments across the country allowing officers to use the app.

Subject: In a Post-Roe World, the Future of Digital Privacy Looks Even Grimmer
Source: NYT via beSpacific
https://www.bespacific.com/in-a-post-roe-world-the-future-of-digital-privacy-looks-even-grimmer/

The New York Times – “The sheer amount of tech tools and knowledge required to discreetly seek an abortion underlines how wide open we are to surveillance…In states that have banned abortion, some women seeking out-of-state options to terminate pregnancies may end up following a long list of steps to try to shirk surveillance — like connecting to the internet through an encrypted tunnel and using burner email addresses — and reduce the likelihood of prosecution. Even so, they could still be tracked. Law enforcement agencies can obtain court orders for access to detailed information, including location data logged by phone networks. And many police departments have their own surveillance technologies, like license plate readers. That makes privacy-enhancing tools for consumers seem about as effective as rearranging the furniture in a room with no window drapes.“There’s no perfect solution,” said Sinan Eren, an executive at Barracuda, a security firm. “Your telecom network is your weakest link.” In other words, the state of digital privacy is already so far gone that forgoing the use of digital tools altogether may be the only way to keep information secure, security researchers said. …

Subject: Former CIA employee convicted for carrying out largest data leak in agency’s history
Source: CNNPolitics
https://www.cnn.com/2022/07/13/politics/cia-employee-convicted-joshua-schulte-data-leak/index.html

Washington (CNN) A former CIA employee charged with carrying out the largest leak of classified data in the agency’s history was convicted on all counts in federal court Wednesday.

Joshua Schulte — who was accused of handing over reams of classified data to WikiLeaks in 2016 — was convicted of illegally gathering and transmitting national defense information and obstructing a criminal investigation and grand jury proceeding, among other charges.

He had worked as a computer engineer within the CIA’s Center for Cyber Intelligence, and created cyber tools that could grab data undetected from computers. Schulte defended himself at trial. An earlier trial ended in a hung jury in 2020.

Schulte’s issues at the CIA began in the summer of 2015 when he began to feud with management and a co-worker, ultimately filing a restraining order against the co-worker in state court, court records show. Schulte and the co-worker were both transferred as a result of the feud.

Subject: Some VPNs can’t be trusted. These are best at privacy and security.
Source: WaPo via beSpacific
https://www.bespacific.com/some-vpns-cant-be-trusted-these-are-best-at-privacy-and-security/Washington Post

“Interest in virtual private networks, a technology that helps you hide what you do online, surged after the Supreme Court ended legal abortion in some states and dramatically raised the stakes for digital privacy. There’s just one problem: There are hundreds of VPNs, and some of them are snake oil. Many over-promise, making you think your activity is more hidden than it really is. Some may market themselves as free, but covertly mine your Web surfing for profit, or hand it over to the government. Constant industry consolidation means a VPN you trust today might be shady next month…”

—

Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved. And from WaPo:

There are lots of other steps I’d recommend to improve your privacy and security before getting a VPN. Start with our super handy step-by-step guides to privacy and security basics. And if you are specifically concerned about keeping reproductive health information private, this guide will take you through the critical considerations.

WaPo filed: https://www.washingtonpost.com/personal-tech/

Subject: House passes bill to create alert system for active shooters
Source: UPI.com
https://www.upi.com/Top_News/US/2022/07/14/house-passes-bipartisan-bill-nationwide-alert-system-active-shooter/5301657837183/

July 14 (UPI) — The U.S. House of Representatives on Wednesday passed a bipartisan bill to create a nationwide alert system to be used in active-shooter incidents. Passed on a 260-169 vote, the Active Shooter Alert Act would establish a network similar to Amber alerts to notify the public when a shooter is nearby.

“This is terribly inefficient and dangerous,” Cicilline added. “Law enforcement needs and deserves better tools than Twitter to communicate with the community and the Active Shooter Alert Act answers that call.”

Subject: Penetration Test Guidance Updates
Source: FedRAMP.gov
https://www.fedramp.gov/2022-07-05-penetration-test-guidance/

We’re excited to announce the release of FedRAMP’s updated Penetration Test Guidance! [24-page PDF].These updates were made to address the ever-changing cybersecurity landscape. Revisions include updated guidance around existing and new threats as well as addressing attack vectors so they’re in alignment with current best practices.

The revision process included the following initiatives…

Subject: PayPal phishing kit added to hacked WordPress sites for full ID theft
Source: Bleeping Computer
https://www.bleepingcomputer.com/news/security/paypal-phishing-kit-added-to-hacked-wordpress-sites-for-full-id-theft/

A newly discovered phishing kit targeting PayPal users is trying to steal a large set of personal information from victims that includes government identification documents and photos. Over 400 million individuals and companies are using PayPal as an online payment solution. The kit is hosted on legitimate WordPress websites that have been hacked, which allows it to evade detection to a certain degree.

Breaching websites with weak login – Researchers at internet technology company Akamai found the phishing kit after the threat actor planted it on their WordPress honeypot.

The threat actor targets poorly secured websites and brute-forces their log in using a list of common credential pairs found online. They use this access to install a file management plugin that allows uploading the phishing kit to the breached site.

…

Cybercriminals could use all this information for a variety of illegal activities ranging from anything related to identity theft to launder money (e.g., creating cryptocurrency trading accounts, registering companies) and maintaining anonymity when purchasing services to taking over banking accounts or cloning payment cards.

Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes. – Akamai

…

Filed:

Facebook Tweet LinkedIn

Posted in: AI, Blockchain, Cryptocurrencies, Cybercrime, Cybersecurity, E-Discovery, Email Security, Healthcare, Legal Research, Privacy, Search Engines, United States Law

July 2022
M	T	W	T	F	S	S
« Jun				Aug »
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31