Pete Recommends – Weekly highlights on cyber security issues, August 13, 2022

Subject: Cross-agency group explores next steps for identity verification
Source: GCN
https://gcn.com/cybersecurity/2022/08/cross-agency-group-explores-next-steps-identity-verification/375386/

As agencies look for solutions, the hope is that the report and simulation tool inform more nuanced conversations about identity verification by showing the “trade-off considerations” that agencies should consider, said Taka Ariga, GAO chief data scientist and director of the GAO Innovation Lab.

Many panelists suggested a federated framework, the report states, where program offices can use third-party credentials for identity verification, and citizens choose what service provider they want to use.

Several panelists also suggested a shift to a more risk-based approach.

Instead of requiring the same identity verification controls for everyone that interacts with a program, agencies could use data to power a “risk-based transaction management system.”

Topics:

  • Cybersecurity
  • Authentication or Identity Management – The group’s new report and simulation tool will help officials identify trade-off considerations for different identity solutions and frameworks.
    A cross-agency group released a report and simulation tool on how the government can address identity fraud in government programs. One big takeaway: it’s complicated.
    The Joint Financial Management Improvement Program report identifies trade-off considerations for different identity solutions and frameworks, and it comes with a simulation tool from the Government Accountability Office to show how decisions about identity verification affect government programs in ways that extend beyond fraud levels alone.

Subject: Week in review: Spot deep-faked job candidates, data exfiltration via bookmarks, Patch Tuesday forecast
Source: Help Net Security
https://www.helpnetsecurity.com/2022/08/07/week-in-review-spot-deep-faked-job-candidates-data-exfiltration-via-bookmarks-patch-tuesday-forecast/

In this Help Net Security video, Sanjay Gupta, SVP and Managing Director, Mitek Systems, talks about how combating this threat will require a multi-layered approach from both HR and recruiting teams in addition to IT.The FBI recently issued a warning that malicious attackers are using deepfakes to apply for a variety of remote work positions via virtual interviews over the internet. These positions include IT, database, and developer positions with access to customer details, financial data, and proprietary information – making organizations incredibly vulnerable to a brand-new attack method should deep-faked candidates get hired.


Subject: North Korean hackers target crypto experts with fake Coinbase job offers
Source: Bleeping Computer
https://www.bleepingcomputer.com/news/security/north-korean-hackers-target-crypto-experts-with-fake-coinbase-job-offers/

A new social engineering campaign by the notorious North Korean Lazarus hacking group has been discovered, with the hackers impersonating Coinbase to target employees in the fintech industry.

A common tactic the hacking group uses is to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack.

According to Hossein Jazi, a security researcher at Malwarebytes who has been following Lazarus activity closely since February 2022, the threat actors are now pretending to be from Coinbase, targeting candidates suitable for the role of “Engineering Manager, Product Security.”

Coinbase is one of the world’s largest cryptocurrency exchange platforms, allowing Lazarus to lay the ground for a lucrative and enticing job offer at a prestigious organization.

When victims download what they believe to be a PDF about the job position, they are actually getting a malicious executable using a PDF icon. In this case, the file is named “Coinbase_online_careers_2022_07.exe,” which will display the decoy PDF document shown below when executed while also loading a malicious DLL.

Other campaigns conducted by Lazarus in the past using fake job offers were for General Dynamics and Lockheed Martin.

Tagged:


Subject: Pretty Good Phone Privacy Masks Your Android Device ID, Mobile Data
Source: WIRED
https://www.wired.com/story/pretty-good-phone-privacy-android/

As marketers, data brokers, and tech giants endlessly expand their access to individuals’ data and movements across the web, tools like VPNs or cookie blockers can feel increasingly feeble and futile. Short of going totally off the grid forever, there are few options for the average person to meaningfully resist tracking online. Even after coming up with a technical solution last year for how phone carriers could stop automatically collecting users’ locations, researchers Barath Raghavan and Paul Schmitt knew it would be challenging to convince telecoms to implement the change. So they decided to be the carrier they wanted to see in the world.The result is a new company, dubbed Invisv, that offers mobile data designed to separate users from specific identifiers so the company can’t access or track customers’ metadata, location information, or mobile browsing. Launching in beta today for Android, the company’s Pretty Good Phone Privacy or PGPP service will replace the mechanism carriers normally use to turn cell phone tower connection data into a trove of information about users’ movements. And it will also offer a Relay service that disassociates a user’s IP address from their web browsing.

PGPP’s ability to mask your phone’s identity from cell towers comes from a revelation about why cell towers collect the unique identifiers known as IMSI numbers, which can be tracked by both telecoms and other entities that deploy devices known as IMSI catchers, often called stringrays, which mimic a cell tower for surveillance purposes. Raghavan and Schmitt realized that at its core, the only reason carriers need to track IMSI numbers before allowing devices to connect to cell towers for service is so they can run billing checks and confirm that a given SIM card and device are paid up with their carrier. By acting as a carrier themselves, Invisv can implement their PGPP technology that simply generates a “yes” or “no” about whether a device should get service.

Filed: https://www.wired.com/category/security/


Subject: Your iPhone’s deleted voicemails aren’t actually deleted
Source: ZDNet via beSpacific
https://www.bespacific.com/your-iphones-deleted-voicemails-arent-actually-deleted/ZDNet

“Here’s why and how to delete them for good. If you like keeping your phone tidy by periodically deleting old messages and voicemails, you may be surprised to hear that those voicemail messages you deleted two years ago may still be on your phone…Voicemail messages are typically stored in the mobile carrier’s servers; they’re not automatically stored on the phone itself, but they can be backed up to iCloud or a computer..”


Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.


Subject: FTC Contemplates Rules to Protect Against Commercial Surveillance and Lax Data Privacy
Source: Nextgov
https://www.nextgov.com/analytics-data/2022/08/ftc-contemplates-rules-protect-against-commercial-surveillance-and-lax-data-privacy/375726/

The Commission voted Thursday to issue a notice of their proposed rulemaking and solicit public comment.

The Federal Trade Commission is looking at boosting its efforts to combat commercial surveillance and relaxed data security, in an effort to protect online consumer privacy.

As part of this effort, the FTC seeks public comment on its Advance Notice of Proposed Rulemaking on online consumer privacy. The FTC is soliciting comments on harms from commercial surveillance and if new rules are necessary to protect people’s privacy and information.“Our goal today is to begin building a robust public record to inform whether the FTC should issue rules to address commercial surveillance and data security practices and what those rules should potentially look like,” FTC Chair Lina M. Khan said.Companies can collect information based on a person’s “online activity, their family and friend networks, browsing and purchasing histories, location and physical movements, and a wide range of other personal details.” This information is then analyzed and used to sell ads or sell products.

“Case-by-case enforcement has not systemically deterred unlawful behavior in this market,” she added.

Topics:


Subject: Hospital and Drugmaker Move to Build Vast Database of New Yorkers’ DNA
Source: The New York Times
https://www.nytimes.com/2022/08/12/nyregion/database-new-yorkers-dna.html

The Mount Sinai Health System began an effort this week to build a vast database of patient genetic information that can be studied by researchers — and by a large pharmaceutical company. The goal is to search for treatments for illnesses ranging from schizophrenia to kidney disease, but the effort to gather genetic information for many patients, collected during routine blood draws, could also raise privacy concerns.

The data will be rendered anonymous, and Mount Sinai said it had no intention of sharing it with anyone other than researchers. But consumer or genealogical databases full of genetic information, such as Ancestry.com and GEDmatch, have been used by detectives searching for genetic clues that might help them solve old crimes.

(Those two government projects involve whole-genome sequencing, which reveal an individual’s complete DNA makeup; the Mount Sinai project will sequence about 1 percent of each individual’s genome, called the exome.)

A health system in northeast Pennsylvania, Geisinger Health System, has also built a database of more than 185,000 DNA sequences, through a partnership with Regeneron. That database played a role in the discovery of mutations that can protect against obesity and fatty liver disease.

Posted in: Big Data, Cryptocurrency, Cybercrime, Cybersecurity, Healthcare, Privacy, Social Media