Pete Recommends – Weekly highlights on cyber security issues, November 26, 2022

Subject: House Dems say facial recognition company misrepresented its help to consumers
Source: UPI.com
https://www.upi.com/Top_News/US/2022/11/17/ID-House-Dems-Maloney-Clyburn-unemployment/9421668714920/

Nov. 17 (UPI) — Democrats on the House Oversight Committee have asserted that an identity verification company receiving millions in government contracts, misrepresented how well it was serving Americans. ID.me downplayed how long Americans had to wait to have their identities verified when applying for unemployment benefits, and made baseless claims to increase demand for its services, according to the House Oversight Committee and Subcommittee on the Coronavirus Crisis.

“ID.me’s practices risked putting desperately needed relief out of reach for Americans who lack ready access to computers, smartphones or the Internet. Companies entrusted with implementing critical programs in a national crisis must be able to serve the needs of the people those programs are intended to benefit.”

ID.me uses facial recognition provided by third-party services to help authenticate people who apply for government resources like unemployment benefits. The Oversight committee started investigating ID.me in April after reports of long wait times for people who failed the initial authentication. ID.me told the IRS that average wait times were about two hours, even though they were actually over four hours in many states.

[including me /pmw1]


Subject: White House gives federal agencies May 2023 deadline to provide list of quantum-vulnerable cryptographic systems
Source: FedScoop
https://www.fedscoop.com/omb-quantum-vulnerable-systems-memo/

The Office of Management and Budget has given federal agencies until May 4 next year to provide an inventory of assets containing cryptographic systems that could be cracked by quantum computers.

The fresh guidance comes amid fears that significant leaps in quantum technology being made by countries hostile to the United States, including China, could allow existing forms of secure encryption to be cracked much more quickly.

The White House said also that within 30 days, federal agencies should designate a cryptographic inventory and migration lead for their organization, and within 90 days of the memo publication, the Office of the National Cyber Director in coordination with OMB, CISA and the FedRAMP Program Management Office would produce instructions for the collection and transmission of inventory of crypto-vulnerable systems.

-In this Story-
National Security Agency (NSA), Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD), quantum computing, White House

Subject: How one state’s phishing training evolves with threats
Source: GCN
https://gcn.com/cybersecurity/2022/11/how-one-states-phishing-training-evolves-threats/379894/

Indiana regularly tests employees on various platforms and attachment formats, including prompts related to headline news and retests of scams those that have proved difficult for workers to catch.If state governments are to stay ahead of the latest phishing threats, employee training must constantly evolve to keep pace with new tactics, a leading technology official said.

Hemant Jain, chief information security officer at the Indiana Office of Technology (IOT), said state employees across more than 100 agencies receive phishing and cybersecurity awareness training every month, having also been trained during onboarding as new employees.

Employee training is also tailored to the different file types that individuals are exposed to in their day-to-day work. For example, training for those who regularly use PDFs for their job, will feature many PDFs to show them what they could be exposed to, Jain said during a GCN webinar. “You have to make it relevant, you have to make it contextual to the actual end user,” he added.

The efforts are all part of building what Jain described as a “cyber culture” among employees, where they are motivated to keep themselves safe while at the same time not reluctant or ashamed to report any potential breaches or issues when they arise.

Meanwhile, Jain said he and his colleagues at the IOT have gone on several statewide listening tours to hear local government perspectives on cybersecurity and other tech topics. A recent announcement that IOT will partner with Indiana and Purdue Universities to offer local governments cybersecurity assessments shows there will be plenty more opportunities for collaboration.

Filed: https://gcn.com/cybersecurity/


Subject: A Broken Twitter Means Broken Disaster Response
Source: Gizmodo
https://gizmodo.com/twitter-broken-disaster-response-elon-musk-climate-1849802766

The loss of this crucial rapid-response platform could be crippling as climate change makes disasters worse.As Twitter goes through an upheaval and rumors of its potential demise—or likely malfunction—spread, millions of people are starting to imagine a world without Twitter. While many folks may think the platform has nothing to do with them, there are countless systems that have drastically changed in the 16 years since Twitter was founded—including emergency management and disaster response, which is becoming all too crucial in the age of climate change.

I called Samantha Montano, an assistant professor of emergency management at Massachusetts Maritime Academy and the author of Disasterology: Dispatches From The Frontlines of The Climate Crisis, to talk about Twitter’s role in emergency management today and what might go wrong if the platform breaks or disappears for good.

Filed: https://gizmodo.com/earther/extreme-weather

Site RSS: https://gizmodo.com/rss


Subject: Do’s and don’ts of data de-identification
Source: GCN
https://gcn.com/data-analytics/2022/11/dos-and-donts-data-de-identification/380021/

Government goes to great lengths to protect personally identifiable information in the data it collects. To ensure de-identified data cannot be engineered to reveal individuals’ sensitive information, the National Institute of Standards and Technology is updating its guidance to address advances in privacy technology in the six years since the last version was issued.

De-identifcation allows researchers to prevent or limit privacy risks to those individuals whose personal data is contained in the dataset while still allowing for meaningful statistical analysis.Agencies may rely on models such as k-anonymity or differential privacy as safeguards against prying eyes, but advances in geolocation technology, for example, can allow outsiders—including identity thieves, journalists looking for confidential details or researchers hoping to distinguish their findings from others—to break down those barriers, according to NIST.
Agencies should perform de-identification using software specifically designed for that purpose with the guidance of trained individuals, NIST recommended….Adopting de-identification standards is another crucial strategy for protecting sensitive data….


Subject: Third-party data brokers give police warrantless access to 250 million devices
Source: Ars Technica
https://www.bespacific.com/third-party-data-brokers-give-police-warrantless-access-to-250-million-devices/Ars Technica:

“…Functioning like Google Maps, Fog Reveal is marketed to police departments as a cheap way to harvest data from 250 million devices in the US. For several thousand dollars annually, the software lets police trace unique borders around large, customized regions to generate a list of devices in the area. Police can use Fog Reveal to geofence entire buildings or street blocks—like the area surrounding an abortion clinic—and get information on devices used within and surrounding those buildings to identify suspects. On top of identifying devices used in a targeted location, Fog Reveal also can be used to search by device and see everywhere that device has been used. That means cops could identify devices at a clinic and then follow them home to identify the person connected to that device. Or they could identify a device and follow it to an abortion clinic…



Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.

Subject: How North Korea became a mastermind of crypto cybercrime
Source: Ars Technica
https://arstechnica.com/information-technology/2022/11/how-north-korea-became-a-mastermind-of-crypto-cyber-crime/

Cryptocurrency theft has become one of the regime’s main sources of revenue.Created by a Vietnamese gaming studio, Axie Infinity offers players the chance to breed, trade, and fight Pokémon-like cartoon monsters to earn cryptocurrencies including the game’s own “Smooth Love Potion” digital token. At one stage, it had more than a million active players.

But earlier this year, the network of blockchains that underpin the game’s virtual world was raided by a North Korean hacking syndicate, which made off with roughly $620 million in the ether cryptocurrency.

The crypto heist, one of the largest of its kind in history, was confirmed by the FBI, which vowed to “continue to expose and combat [North Korea’s] use of illicit activities—including cybercrime and cryptocurrency theft—to generate revenue for the regime.”

The successful crypto heists illustrate North Korea’s growing sophistication as a malign cyber actor. Western security agencies and cyber security companies treat it as one of the world’s four principal nation-state-based cyber threats, alongside China, Russia, and Iran.

According to a UN panel of experts monitoring the implementation of international sanctions, money raised by North Korea’s criminal cyber operations are helping to fund the country’s illicit ballistic missile and nuclear programs. Anne Neuberger, US deputy national security adviser for cyber security, said in July that North Korea “uses cyber to gain, we estimate, up to a third of their funds for their missile program.”

Crypto analysis firm Chainalysis estimates that North Korea stole approximately $1 billion in the first nine months of 2022 from decentralized crypto exchanges alone.

Analysts say the scale and sophistication of the Axie Infinity hack exposed just how powerless the US and allied countries appear to be to prevent large-scale North Korean crypto theft.

See other articles in: https://arstechnica.com/author/financialtimes/

Posted in: AI, Big Data, Blockchain, Congress, Criminal Law, Cryptocurrency, Cybercrime, Cybersecurity, Employment Law, Legal Research, Privacy