Pete Recommends – Weekly highlights on cyber security issues, August 6, 2022

Subject: 911 Proxy Service Implodes After Disclosing Breach
Source: Krebs on Security

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software.911[.]re is was one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

911 wasn’t the only major proxy provider disclosing a breach this week tied to unauthenticated APIs: On July 28, KrebsOnSecurity reported that internal APIs exposed to the web had leaked the customer database for Microleaves, a proxy service that rotates its customers’ IP addresses every five to ten minutes. That investigation showed Microleaves — like 911 — had a long history of using pay-per-install schemes to spread its proxy software.


Subject: Meta, US hospitals sued for using healthcare data to target ads
Source: BleepingComputer

A class action lawsuit has been filed in the Northern District of California against Meta (Facebook), the UCSF Medical Center, and the Dignity Health Medical Foundation, alleging that the organizations are unlawfully collecting sensitive healthcare data about patients for targeted advertising.This tracking and data collection allegedly takes place in medical portals beyond login walls, where patients enter highly sensitive information about themselves, their conditions, doctors, prescribed medication, and more.

According to the lawsuit, neither the hospitals nor Meta informs the patients about the data collection, no user consents are requested, and there is no visible indication of this process.

The plaintiffs realized the violation of their privacy when Facebook, the social media platform belonging to Meta, began targeting them with advertisements tailored explicitly for their medical condition.

A recent investigation by The Markup found Meta Pixel in 30% of the top 80,000 most popular websites, including several anti-abortion clinics and other healthcare providers.

The lawsuit claims that Meta’s tracking code is present on 33 websites of the top 100 hospitals in the United States, and in seven cases, the code runs beyond password-protected patient portals.

Meta even contains a provision for this in its data privacy policy, stating that its partners (hosts of the Meta Pixel) must have lawful rights to collect, use and share users’ data before handing it over to the advertising giant.

However, as mentioned in the complaint: “Healthcare Defendants do not have the legal right to use or share Plaintiffs’ and Class members data, as this information is protected by the Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”) Privacy Rule, which protects all electronically protected health information a covered entity like Healthcare Defendants “create[], receive[], maintain[], or transmit[]” in electronic form.”


Subject: Huge network of 11,000 fake investment sites targets Europe
Source: Bleeping Computer

Researchers have uncovered a gigantic network of more than 11,000 domains used to promote numerous fake investment schemes to users in Europe.The platforms show fabricated evidence of enrichment and falsified celebrity endorsements to create an image of legitimacy and lure in a larger number of victims.

The goal of the operation is to trick users into an opportunity for high-return investments and convince them to deposit a minimum amount of 250 EUR ($255) to sign up for the fake services.

Researchers at cybersecurity company Group-IB discovered the operation and mapped the massive network of phishing sites, content hosts, and redirections.

Scamming process – The fraudsters put an effort into promoting the campaigns on various social media platforms or use compromised Facebook and YouTube to reach as many users as possible.


Subject: All software is guilty until proven innocent
Source: FCW

COMMENTARY | Agencies must embrace “shifting left,” an approach that takes securing software in mind at the beginning of the development lifecycle. More than ever, government runs on software. Indeed, its reliance on software applications has expanded rapidly in recent years – and it will continue to grow. IT modernization enables agencies to deliver services in ways that are faster, more accurate and more efficient.

Yet digital government has challenges, chiefly in the realm of cybersecurity. Securing government software and software supply chains has emerged as a significant challenge for public-sector agencies. At times, the response to that challenge has yielded mediocre results. Compared to other industries, the public sector has the highest proportion of applications with security flaws (82%), according to Veracode’s State of Software Security: Public Sector report.

Maintaining a secure domain in the fast-changing cyber environment requires strengthening software security, beginning at the earliest stages of the software development lifecycle, an approach known as “shifting left.”

To amplify and promote the benefits of this shift, the National Institute of Standards and Technology issued guidelines earlier this year aimed at helping agencies achieve application-level security. The Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e defines guidelines for federal agency staff with software procurement-related responsibilities (e.g., acquisition and procurement officials, technology professionals, etc.). These guidelines teach federal workers how to access information from vendors that is needed to assess software producers’ secure software development practices.


Subject: Twitter Faces A Surge In Account Data Requests By Governments
Source: Android Headlines

The latest transparency report by Twitter shows that governments are asking for accounts data more than ever, Engadget reports. Protecting users’ personal information is one of the main duties of social networks. However, in some cases, these social platforms have to cooperate with governments and give up the user’s data. Twitter is now revealing the increasing requests of governments to access users’ information, especially journalists.

Twitter says it has seen “record highs” in data requests by governments from July-December 2021. During this period, Twitter received 47,572 legal demands on 198,931 accounts.

The media and journalists are always a hot target for governments. According to Twitter’s 20th transparency report, requests for access to verified news outlets and journalists’ data have increased 103 percent compared to the last report. During this time, governments asked for data from 349 accounts.

It’s evident that journalists have become a common target for governments and regimes worldwide. Countries like India have the highest demands for blocking journalists’ accounts. Russia also cut access to Twitter following its invasion of Ukraine. Other governments like Iran try to bribe content moderators to remove the opponent’s accounts.



Subject: Report – Hidden Harms: The Misleading Promise of Monitoring Students Online
Source: Center for Democracy & Technology via beSpacific for Democracy & Technology

“The pressure on schools to keep students safe, especially to protect them physically and support their mental health, has never been greater. The mental health crisis, which has been exacerbated by the COVID-19 pandemic, and concerns about the increasing number of school shootings have led to questions about the role of technology in meeting these goals. From monitoring students’ public social media posts to tracking what they do in real-time on their devices, technology aimed at keeping students safe is growing in popularity. However, the harms that such technology inflicts are increasingly coming to light. CDT conducted survey research …

Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.

Subject: FEMA warns emergency alert systems could be hacked to transmit fake messages unless software is updated
Source: CNNPolitics

Washington (CNN) Vulnerabilities in software that TV and radio networks around the country use to transmit emergency alerts could allow a hacker to broadcast fake messages over the alert system, a Federal Emergency Management Agency official tells CNN.

A cybersecurity researcher provided FEMA with “compelling evidence to suggest certain unpatched and unsecured EAS [Emergency Alert System] devices are indeed vulnerable,” said Mark Lucero, the chief engineer for Integrated Public Alert & Warning System, the national system that state and local officials use to send urgent alerts about natural disasters or child abductions.

It’s unclear how many emergency alert system devices are running the vulnerable software. FEMA referred a request for an estimate of that figure to the FCC, which did not immediately respond to a request for comment.

Seeing the breakdown of law enforcement communications in the days before the January 6, 2021, attack on the US Capitol motivated Pyle to dig further into the security of those types of communications, he said.
Posted in: Cybercrime, Cybersecurity, E-Commerce, Health, Healthcare, Legal Research, Privacy, Social Media, Technology Trends