Pete Recommends – Weekly highlights on cyber security issues, December 10, 2022

Subject: Yup – Grad Students Analyze, Hack and Remove Under-desk surveillance devices designed to track them.
Source: beSpacific Newsie Social Mastodon

Yup – Via Vice – Grad Students Analyze, Hack and Remove Under-desk surveillance devices designed to track them. In October, [Northeastern University] quietly introduced heat sensors under desk without notifying students or seeking their consent. Students removed the devices, hacked them, and were able to force the university to stop its surveillance.

Subject: Computer Matching and Privacy Protection Act: Data Integration and Individual Rights
Source: CRS Report

CRS Report – Computer Matching and Privacy Protection Act: Data Integration and Individual Rights, December 6, 2022: “Computers and information technologies have increased the amount of data that can be collected, stored, and processed. Computers make it easier to exchange, share, and match data on individuals across programmatic and agency boundaries, enabling the use of that data for various executive branch operations. The Computer Matching and Privacy Protection Act of 1988 (CMPPA) provides the requirements and processes by which agencies may, for certain purposes, conduct a matching program using individuals’ data. … A matching program may exchange and compare any number of records, and some match millions of records…”

Abstracted from beSpacific
Copyright © 2022 beSpacific, All rights reserved.

Subject: Indiana Sues TikTok as Texas Joins the Call to Ban App
Source: Gizmodo

TikTok is facing growing scrutiny from various U.S. political officials. Amidst an ongoing call from state leaders to ban the app from state government devices, Indiana Attorney General Todd Rokita has announced that the state has filed two lawsuits against the social media platform.Rokita announced the lawsuits in a press release, calling the app “a clear and present danger.” The first of the two lawsuits—which were both filed yesterday—is based on the merit that TikTok encourages underage users to use the app under the pretense that there is only mild suggestive content involving sexual situations, drugs, and profanity. “In order to lure these children onto its platform, TikTok makes a variety of misleading representations and omissions to claim a 12+ rating on the Apple App Store and a ‘T’ for ‘Teen’ rating in the Google Play Store and the Microsoft Store,” the lawsuit alleges.


Subject: Who Is Collecting Data from Your Car?
Source: The Markup

[from about 5 months ago …] A firehose of sensitive data from your vehicle is flowing to a group of companies you’ve probably never heard of

Today’s cars are akin to smartphones, with apps connected to the internet that collect huge amounts of data, some of which is highly personal.

Most drivers have no idea what data is being transmitted from their vehicles, let alone who exactly is collecting, analyzing, and sharing that data, and with whom. A recent survey of drivers by the Automotive Industries Association of Canada found that only 28 percent of respondents had a clear understanding of the types of data their vehicle produced, and the same percentage said they had a clear understanding of who had access to that data.

The Markup has identified 37 companies that are part of the rapidly growing connected vehicle data industry that seeks to monetize such data in an environment with few regulations governing its sale or use.


Subject: Darknet Markets Generate Millions in Revenue Selling Stolen Personal Data, Supply Chain Study Finds
Source: Nextgov

It is common to hear news reports about large data breaches, but what happens once your personal data is stolen? Our research shows that, like most legal commodities, stolen data products flow through a supply chain consisting of producers, wholesalers and consumers. But this supply chain involves the interconnection of multiple criminal organizations operating in illicit underground marketplaces.The stolen data supply chain begins with producers – hackers who exploit vulnerable systems and steal sensitive information such as credit card numbers, bank account information and Social Security numbers. Next, the stolen data is advertised by wholesalers and distributors who sell the data. Finally, the data is purchased by consumers who use it to commit various forms of fraud, including fraudulent credit card transactions, identity theft and phishing attacks.

This trafficking of stolen data between producers, wholesalers and consumers is enabled by darknet markets, which are websites that resemble ordinary e-commerce websites but are accessible only using special browsers or authorization codes.

We found several thousand vendors selling tens of thousands of stolen data products on 30 darknet markets. These vendors had more than US$140 million in revenue over an eight-month period.

This article is republished from The Conversation under a Creative Commons license. Read the original article.


Subject: Top EU court rules Google must delete inaccurate search results

Dec. 8 (UPI) — Google must remove information from search results in Europe if a person can prove that those results are false, a European court ruled Thursday. In its ruling, the Court of Justice of the European Union said the California-based tech giant must delete the results if the information they provide is “manifestly inaccurate.”

The case stems from two investment managers that asked Google to remove search results linking to their company. The pair called the information, which criticized their investment model, inaccurate.

“They also requested Google to remove photos of them, displayed in the form of ‘thumbnails,’ from the list of results of an image search made on the basis of their names. That list displayed only the thumbnails as such, without reproducing the context of the publication of those photos on the referenced internet page,” the court said in its review of the case.

Subject: VICTORY! Apple Commits to Encrypting iCloud, Drops Phone-Scanning Plans
Source: Electronic Frontier Foundation

Today Apple announced it will provide fully encrypted iCloud backups, meeting a longstanding demand by EFF and other privacy-focused organizations.We applaud Apple for listening to experts, child advocates, and users who want to protect their most sensitive data. Encryption is one of the most important tools we have for maintaining privacy and security online. That’s why we included the demand that Apple let users encrypt iCloud backups in the Fix It Already campaign that we launched in 2019.

Apple’s on-device encryption is strong, but some especially sensitive iCloud data, such as photos and backups, has continued to be vulnerable to government demands and hackers. Users who opt in to Apple’s new proposed feature, which the company calls Advanced Data Protection for iCloud, will be protected even if there is a data breach in the cloud, a government demand, or a breach from within Apple (such as a rogue employee). Apple said today that the feature will be available to U.S. users by the end of the year, and will roll out to the rest of the world in “early 2023.”

Related Issues

Subject: Defenseless: A Statistical Report on the State of Cybersecurity Maturity Across the Defense Industrial Base (DIB)
Source: Merrill Research

In response to growing concern for the state of cybersecurity across the defense industrial base (DIB) CyberSheath commissioned Merrill Research to conduct a survey of a cross section of the over 300,000 organizations
that make up the DIB. The survey targeted 300 individuals responsible for cybersecurity within organizations that are actively seeking CMMC compliance. The data collected provides key insights on where DIB contractors stand in relationship to achieving their CMMC goals, the obstacles facing organizations as they work to achieve and maintain compliance, as well as identifying opportunities for third party support to strengthen cybersecurity efforts…
While the assumption from the DoD since DFARS Clause 252.204-7012 was enacted in 2017 is that the U.S. is making significant strides toward cybersecurity maturity, the truth is that more than 50% of organizations in the DIB aren’t even compliant with the basic DFARS requirements.
Posted in: Cybercrime, Cybersecurity, Data Mining, Encryption, KM, Legal Research, Privacy, Search Engines, Social Media, Technology Trends