Pete Recommends – Weekly highlights on cyber security issues, November 19, 2022

Subject: FBI Alert: Watch Out for Subscription Renewal Scams

The law enforcement agency says it has observed “several instances” of this specific social engineering scam since October.

The FBI has released an official alert warning the US public about “tech support scams” after observing a number of different examples of the malicious activity in October. Password managers and other cybersecurity software will help shield you from threats like credential stuffing or brute-force attacks, but social engineering scams like this are arguably harder to snuff out and increase in sophistication by the day.

Educating yourself to recognize the tell tale signs that a scam might be taking place, however, and never handing out your information without verification, are two steps you can take to ensure you’re not the latest victim.

Scammers Posing as Technical Support – In a technical support scam, the FBI says, scammers “pose as service representatives of a company’s technical or computer repair service and contact victims through email or by telephone about a highly-priced, soon-to-renew subscription.”

While password managers and antivirus software can protect you from a range of online threats, the best protection against social engineering is being able to spot the telltale signs that someone might not necessarily be who they say they are.


Subject: World Cup apps pose a data security and privacy nightmare
Source: The Register

With mandated spyware downloads to tens of thousands of surveillance cameras equipped with facial-recognition technology, the World Cup in Qatar next month is looking more like a data security and privacy nightmare than a celebration of the beautiful game.Football fans and others visiting Qatar must download two apps: Ehteraz, a Covid-19 tracker, and Hayya, which allows ticket holders entry into the stadiums and access to free metro and bus transportation services.

Qatar’s Ehteraz contact tracking scheme came under scrutiny even before its World Cup use because it allows remote access to users’ pictures and videos, and can make unprompted calls.

Additionally, Ehteraz requires background location services to always be on and it gives the app the ability to read and write to the file system.


Subject: Employee tracking: From your keystrokes to your emails, here’s what your employer can see
Source: The Hill

Office workers, while in the office at least, were likely aware when their boss was observing them. They’d walk by your desk or be within view or be in the same conference room for a meeting as you. But once employees transitioned to working from home, employers lost a bit of that human oversight.

Instead, many companies began tracking their workers. Human resource research firm Gartner says the number of large employers monitoring their employees doubled to 60% since the start of the pandemic. That number is expected to grow to 70% within the next three years.

Most software can track when you’re logging on and off, how long you spend on social media, and your keyboard or mouse activity.

It isn’t just software that can give employers a glance into your digital workspace. If you’re using company technology, your employer can most likely view what is on it.

According to Google and Microsoft, authorized administrators can view your emails if you use Gmail or Outlook. Earlier this year, Microsoft Corporate Vice President Jared Spataro said the company believes “using technology to spy on people at work is not the answer and our technology is not designed for that purpose.”

Your employer can also access private messages you send on spaces like Slack and Microsoft Teams, though both have high thresholds employers need to meet before they can read your messages.

He also suggested that if you feel your employer’s ability to track you is invasive, try having a conversation to find better solutions. For employers considering using tracking software, Ndjatou says they should speak with their employees first.


Subject: Internal Documents Show How Close the F.B.I. Came to Deploying Spyware
Source: The New York Times

Christopher Wray, the F.B.I.’s director, told Congress last December that the bureau purchased the phone hacking tool Pegasus for research and development purposes. During a closed-door session with lawmakers last December, Christopher A. Wray, the director of the F.B.I., was asked whether the bureau had ever purchased and used Pegasus, the hacking tool that penetrates mobile phones and extracts their contents.

Mr. Wray acknowledged that the F.B.I. had bought a license for Pegasus, but only for research and development. “To be able to figure out how bad guys could use it, for example,” he told Senator Ron Wyden, Democrat of Oregon, according to a transcript of the hearing that was recently declassified. But dozens of internal F.B.I. documents and court records tell a different story. The documents, produced in response to a Freedom of Information Act lawsuit brought by The New York Times against the bureau, show that F.B.I. officials made a push in late 2020 and the first half of 2021 to deploy the hacking tools — made by the Israeli spyware firm NSO — in its own criminal investigations. The officials developed advanced plans to brief the bureau’s leadership, and drew up guidelines for federal prosecutors about how the F.B.I.’s use of hacking tools would need to be disclosed during criminal proceedings.


Subject: Google Settles 40 States’ Location Data Suit for $392 Million
Source: Gizmodo

Google agreed to a $391.5 million dollar settlement on Monday to end a lawsuit accusing the tech giant of tricking users with location data privacy settings that didn’t actually turn off data collection. The payout, the result of a suit brought by 40 state attorneys general, marks one of the biggest privacy settlements in history. Google also promised to make additional changes to clarify its location tracking practices next year.“For years Google has prioritized profit over their users’ privacy,” said Ellen Rosenblum, Oregon’s attorney general who co-lead the case, in a press release. “They have been crafty and deceptive. Consumers thought they had turned off their location tracking features on Google, but the company continued to secretly record their movements and used that information for advertisers.”

Despite waves of legal and media attention, Google’s location settings are still confusing, according to experts in interface design. The fine print makes it clear that you need to change multiple settings if you don’t want Google collecting data about everywhere you go, but you have to read carefully. It remains to be seen how clearly the changes the company promised in the settlement will communicate its data practices.


Subject: Russian Pushwoosh Code Found in American Apps, Including CDC’s
Source: Gizmodo

A software company whose code is used in thousands of widely downloaded American apps has been pretending to be based in the U.S. when, in reality, it operates out of Russia, new reporting from Reuters shows. The company, Pushwoosh, used fake street addresses and even fake employee profiles on LinkedIn to create the illusion that it was headquartered in the U.S., according to the recent investigation, but the firm actually calls a remote city in Siberia home.Reuters reports that, in both regulatory filings and on social media, Pushwoosh has consistently advertised itself as being based in the U.S. The firm provides contract support and software to a broad array of organizations, including “international companies, influential non-profits and government agencies,” the outlet reports. Pushwoosh’s code is used in at least eight thousand different apps currently available on the Google Play and Apple store.

In its marketing materials and on its website the company also listed a number of physical addresses based in the U.S. that Reuters says aren’t actually connected to the company. Reporters traveled to one of the addresses and found that it was the residence of a friend of Konev’s; the friend told the reporters that he had “nothing to do with Pushwoosh and had only agreed to allow Konev to use his address to receive mail.” The other address, which was said to be the firm’s “principal place of business” from 2014 to 2016, was for a residence in a California Bay Area town that local officials say doesn’t actually exist.


Subject: The Man Behind Mastodon Built It for This Moment
Source: Wired

Wired: “Eugen Rochko looks exhausted. The 29-year-old German programmer is the founder of Mastodon, a distributed alternative to Twitter that has exploded in popularity in recent weeks as Elon Musk’s ownership of the platform has rained chaos on its users. Rochko began developing Mastodon shortly after leaving university in 2016. He was a fan of Twitter but wanted to create a platform not controlled by any single company or person, reasoning that online communication is too important to be at the whim of commercial interests or CEOs. He believed that the lack of profit motive and canny design could discourage harassment and abuse, and provide users more control. Instead of creating a single unified platform, the Mastodon protocol allows anyone to use open-source software to boot up a server that hosts a Twitter-style community with its own rules. Together those servers form a collective of interlinked communities dubbed the “Fediverse.” …WIRED Topics:

Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.

Subject: MI5: Britain faces complex, rising security threats from nations and terrorism

Nov. 16 (UPI) — British MI5 Director General Ken McCallum delivered a sober annual threat assessment in London Wednesday, underscoring a broad variety of national security threats from Russia’s Ukraine invasion to China’s growing power, Iranian instability and transnational terrorism.McCallum said in a speech that the British intelligence service MI5 is making “the biggest shifts in a generation” in dealing with complex threats posed by nation-states.


Subject: Science & Tech Spotlight: Zero Trust Architecture
Source: U.S. GAO

Zero trust architecture (ZTA) is a cybersecurity approach that authenticates and authorizes every interaction between a network and a user or device—in contrast to traditional cybersecurity models that allow users or devices to move freely within the network once they are granted access. ZTA works on the “never trust, always verify” principle and assumes that attacks will come from within and outside of the network. ZTA could provide better protection of an organization’s data and systems, but it may be difficult to implement because there is no widely accepted definition of what a fully functional ZTA looks like in practice.

IT systems are vital to the functioning of the federal government, critical infrastructure, and the economy. As IT systems become larger and more complex, they have become more susceptible to cyberattacks. Zero trust architecture is a cybersecurity approach that assumes breaches will occur and uses risk-based access controls to limit the damage from an attack.



Posted in: Civil Liberties, Communications, Computer Security, Cybercrime, Cyberlaw, Cybersecurity, Email, Freedom of Information, Legal Research, Search Engines, Social Media, Spyware