Subject: Biden Strengthens Cyber Coordination Between Feds and State, Local Government
Source: Route Fifty
President Joe Biden signed a bill to increase cybersecurity coordination between the Department of Homeland Security and state, local, tribal and territorial governments.State and local governments increasingly find themselves victims of cyberattacks, often because they do not have the expertise or resources to defend against sophisticated and persistent attackers.
The State and Local Government Cybersecurity Act improves collaboration between DHS and state and local governments in several key areas. The new law calls for the National Cybersecurity and Communications Integration Center (NCCIC) — DHS’s 24/7 cyber situational awareness, incident response and management center — to provide operational and technical cybersecurity training for state and local agencies related to threat indicators, defensive measures and incident response and management.
The bill sets up two-way information sharing. NCCIC is directed to help state and local agencies share threat indicators and information about cybersecurity risks and incidents with federal agencies and other SLTT organizations. For its part, NCCIC must notify state and local agencies about specific incident and malware that may affect them or their residents.
The U.S. Federal Trade Commission (FTC) says over 46,000 people Americans have reported losing more than $1 billion worth of cryptocurrency to scams between January 2021 and March 2022.This is a significant increase compared to last year’s report issued by the FTC, when the agency revealed that roughly $80 million were lost to cryptocurrency investment scams based on around 7,000 reports.
Today’s report aligns with the FBI’s 2021 Internet Crime Report [PDF]. The U.S. law enforcement agency said that tens of thousands of reports pointed to over $1.6 billion in cryptocurrency losses.
“In 2021, the IC3 received 34,202 complaints involving the use of some type of cryptocurrency, such as Bitcoin, Ethereum, Litecoin, or Ripple,” the FBI said [PDF].
“While that number showed a decrease from 2020’s victim count (35,229), the loss amount reported in IC3 complaints increased nearly seven-fold, from 2020’s reported amount of $246,212,432, to total reported losses in 2021 of more than $1.6 billion.”
“These scams often falsely promise potential investors that they can earn huge returns by investing in their cryptocurrency schemes, but people report losing all the money they ‘invest,'” the FTC said.
Understanding the metaverse:
In a nutshell, the metaverse is a new, enhanced version of the internet that uses virtual reality and augmented reality (AR/VR) to provide a fully immersive experience of the online world. It is, in other words, a version of the web in which “you,” in the form of your online avatar, can work, play, get an education, shop and socialize with friends — and feel as if you’re actually there.
The metaverse is, in essence, an alternative to our physical world, but without many of its limitations, such as the constraints of geographic distance or the hindrances of real, living bodies.
Sounds pretty exciting, right? Well, yes. However, there’s a downside. Experts predict that the metaverse is going to amplify the cybersecurity challenges that already exist online today while introducing a host of new ones, both those that we can predict as well as those we cannot as of yet.
Research shows, for example, that cybersecurity threats, as well as cybercrimes, are rapidly and dramatically increasing, rising by 50% or more, year over year. Recent predictions hold that the annual costs of cybercrime will exceed $10 trillion by the year 2025, and that the primary commercial targets are likely not to be finance or commerce. Rather, other key industries are being targeted for cybercrime, such as real estate, education and agriculture.
Identity security – The metaverse is designed to function through the use of digital avatars that each user creates for themselves. Ostensibly, this avatar will be both unique and secure, which will allow the real human it represents to use their personally identifiable information (PII) and other sensitive information to make purchases, do work and even receive healthcare.
In addition, through the avatar, the user can interact with others in the digital space, including working with colleagues in a virtual office.
The concern, however, is that because the avatar is, fundamentally, the skeleton key to your private offline information, from your PII to your financial accounts, if a hacker gains access to your avatar, then they can open the door to your entire life. This holds the potential to take identity theft to an unprecedented level.
NFT and bitcoin scams
The metaverse will function through its own forms of currency, including cryptocurrency like Bitcoin, as well as various types of nonfungible tokens (NFTs).
The takeaway – The metaverse is truly a brave new world, one that holds tremendous promise and potential. The metaverse may well revolutionize the ways we work, learn, play and socialize. However, the cybersecurity threats of the metaverse are very real, and it is incumbent upon metaverse creators, governments, corporations and private citizens to understand and guard against these dangers.
Source: The Hacker News
Just before last Christmas, in a first-of-a-kind case, JPMorgan was fined $200M for employees using non-sanctioned applications for communicating about financial strategy. No mention of insider trading, naked shorting, or any malevolence. Just employees circumventing regulation using, well, Shadow IT. Not because they tried to obfuscate or hide anything, simply because it was a convenient tool that they preferred over any other sanctioned products (which JPMorgan certainly has quite a few of.) Visibility into unknown and unsanctioned applications has been required by regulators and also recommended by the Center for Internet Security community for a long time. Yet it seems like new and better approaches are still in demand. Gartner has identified External Attack Surface Management, Digital Supply Chain Risk, and Identity Threat Detection as the top three trends to focus on in 2022, all of which are closely intertwined with Shadow IT.
“Shadow IDs,” or in other words, unmanaged employee identities and accounts in third-party services are often created using a simple email-and-password-based registration. CASBs and corporate SSO solutions are limited to a few sanctioned applications and are not widely adopted on most websites and services either. This means, that a large part of an organization’s external surface –as well as its user identities– may be completely invisible.
Above all, these Shadow IDs remain unmanaged even after employees leave the organization. This may result in unauthorized access to sensitive customer data or other cloud-based services. Employee-created, but business-related identities are unseen for most IDM/IAM tools also. The graveyard of forgotten accounts belonging to ex-employees or abandoned applications is growing every day, to infinity.
Source: The Hacker News
Following the footsteps of Austria and France, the Italian Data Protection Authority has become the latest regulator to find the use of Google Analytics to be non-compliant with E.U. data protection regulations. The Garante per la Protezione dei Dati Personali, in a press release published last week, called out a local web publisher for using the widely used analytics tool in a manner that allowed key bits of users’ personal data to be illegally transferred to the U.S. without necessary safeguards.
This includes interactions of users with the websites, the individual pages visited, IP addresses of the devices used to access the websites, browser specifics, details related to the device’s operating system, screen resolution, and the selected language, as well as the date and time of the visits.
The website in question, Caffeina Media SRL, has been given a period of 90 days to move away from Google Analytics to ensure compliance with GDPR. In addition, the Garante drew webmasters’ attention to the unlawfulness of data transfers to the U.S. stemming from the use of Google Analytics, recommending that site owners switch to alternative audience measurement tools that meet GDPR requirements.
Earlier this month, the French data protection watchdog, the CNIL, issued updated guidance over the use of Google Analytics, reiterating the practice as illegal under the General Data Protection Regulation (GDPR) laws and giving affected organizations a period of one month to comply.
Subject: People Are Using Deepfakes to Apply to Remote Jobs, FBI Says
Imposters were reported using stolen identities, fake video, and doctored voices to access sensitive company data, according to the feds.Companies hiring for an open IT position might need to do more than scrutinize how prospective employees react to the question “What is your worst quality?” If the prospective hire sneezes or coughs without moving their lips, their worst quality might be that they’re not actually real.
The FBI wrote to its Internet Crime Complaint Center Tuesday that it has received multiple complaints of people using stolen information and deepfaked video and voice to apply to remote tech jobs.
According to the FBI’s announcement, more companies have been reporting people applying to jobs using video, images, or recordings that are manipulated to look and sound like somebody else. These fakers are also using personal identifiable information from other people—stolen identities—to apply to jobs at IT, programming, database, and software firms. The report noted that many of these open positions had access to sensitive customer or employee data, as well as financial and proprietary company info, implying the imposters could have a desire to steal sensitive information as well as a bent to cash a fraudulent paycheck.
Subject: Federal lawmakers aim to crack down on ‘dark patterns’ that trick users online
Source: Pennsylvania Capital-Star
The legislation would place limits on how internet firms with over 100M monthly users could ask for information. WASHINGTON – Tech companies sometimes lure users to sign up for a service or share information they might not have agreed to otherwise by using subtle tactics and marketing on their websites and apps, like surveys that mine for personal information or designs that hide privacy settings.
But these practices — commonly called “dark patterns” — are coming under increased scrutiny from the federal government.
U.S. Sen. Mark Warner, D-Va., has teamed up with a group of bipartisan lawmakers from the House and Senate on legislation known as the DETOUR Act that seeks to ban these practices.
Meanwhile, the Federal Trade Commission, the government’s consumer protection agency, has said it will ramp up enforcement against dark patterns that are already illegal and can trick consumers into subscriptions. The FTC also announced this month that it will undertake a wide-ranging overhaul of its overarching guidance on digital advertising.
A 2019 Princeton University study scanned 11,000 shopping websites and found instances of dark patterns on 11 percent of the sites. The more popular shopping sites were more likely to have dark patterns, according to the study.
The GOP complained that too many conservative fundraising emails were going to spam. Now, Google wants to make political emails exempt from filtering. After years of grumbling from Republicans in Congress, Google has requested that the Federal Election Commission allow a pilot program in which political campaign emails would be exempt from spam filtering.
The new program would allow emails from “authorized candidate committees, political party committees and leadership political action committees registered with the FEC,” to bypass Gmail’s spam categorization system, the filing read. That is, as long as those messages don’t violate the platform’s other rules around phishing, malware, or illegal activity.
Google seems to be trying to get ahead of a proposed bill. South Dakota Sen. John Thune and 25 other Republican legislators introduced an act on June 16 aiming to make it “unlawful for an operator of an email service to use a filtering algorithm to apply a label to an email sent to an email account from a political campaign unless the owner or use of the account took action to apply such a label.”
Instead of being screened by Gmail’s spam filter, all qualifying political emails from would instead go directly to users’ inboxes. From there, users would get a “prominent” nudge to either keep receiving emails from the same sender, or to opt out, according to the filing.
June 29 (UPI) — The Federal Trade Commission sued Walmart, alleging that the retailer turned a blind eye to scammers using its money transfer services to defraud Walmart customers of more than $197 million.The FTC said in a statement Tuesday that it sued Walmart “for allowing its money transfer services to be used by fraudsters, who fleeced consumers out of hundreds of millions of dollars.” v
“While scammers used its money transfer services to make off with cash, Walmart looked the other way and pocketed millions in fees,” FTC Bureau of Consumer Protection Director Samuel Levine said in the statement.
“The FTC’s complaint distorts the facts and the law to try and hold Walmart responsible for a miniscule amount of reported fraud, even though we had an extensive program to try to stop such fraud, and continuously improve our anti-fraud efforts to this day,” Walmart’s statement said.
“In many cases, older consumers (ages 65 and older) have been financially exploited by sending money transfers in connection with common telemarketing scams, such as grandparent scams, Good Samaritan scams, lottery or prize scams, and romance scams, from Walmart locations,” the FTC alleged in the suit.
Commissioner Brendan Carr railed against the popular Chinese-owned social platform, alleging it was handing over U.S. citizen’s data to Beijing. TikTok promises to keep its U.S. users’ data safe and sound are not satisfying at least one member of the Federal Communications Commission. FCC Commissioner Brendan Carr said in a blistering letter Wednesday that the Chinese company has proved it can’t be trusted with the information users give it, and should bundled up and tossed out the airlock.
Carr posted an open letter sent to both Google and Apple on his Twitter account Tuesday. In it, he called on the companies to jettison the TikTok app from their app stores. Carr cites multiple cases of the company being exceptionally data-hungry. Most recently, BuzzFeed News reported that the Chinese government had gained access to American users’ data despite TikTok’s claims that it kept U.S. user info on servers on U.S. soil, far from from the prying eyes of Beijing. Carr said in his letter that both Apple and Google parent company Alphabet should remove TikTok from the app stores or else send him a letter by July 8 explaining themselves.
Source: U.S. GAO