Pete Recommends – Weekly highlights on cyber security issues, December 24, 2022

Subject: The Trojan House
Source: S.T.O.P. – The Surveillance Technology Oversight Project
https://www.stopspying.org/the-trojan-house

EXECUTIVE SUMMARY

  • “Smart home” devices record audio and video in the home—and even collect daily schedules and health details.
  • Once collected, this data is less than a warrant or data breach away from police and hacker access.
  • Across the board, smart home devices have superior, privacy-protecting alternatives that perform the same key functions.
  • The law doesn’t protect smart home users. “Do not buy” is the best advice until it does.

I. INTRODUCTION

While the marketing will feature cozy holiday cheer, gifting so-called “smart” home devices—internet-connected speakers, thermostats, beds, vacuums, and other home appliances—is a bad idea.

Smart devices are a popular holiday purchase,[1] but bringing this technology into a home enables detailed government and corporate surveillance. A smart vacuum like Roomba will clean your floors, but it wants to case the joint it cleans, demanding a detailed floorplan for optimal performance.[2] For smart speakers, full functionality comes at the cost of bugging your home: Apple demands transcripts of user interactions with its speakers,[3] while Google demands complete audio recordings.[4] Once collected, user data is less than a warrant or data breach away from police, hackers, and other actors who don’t have users’ interests in mind.

This home surveillance is needless and avoidable. Every smart home device reviewed below has a superior, privacy-protecting alternative that performs the same key functions. This guide makes the case for getting smart by embracing “dumb” and opting for superior, privacy-preserving gifts for the home.

See also: https://www.stopspying.org/
18-page PDF: https://www.stopspying.org/s/The-Trojan-House-PDF-azlt.pdf

No Table of Contents, but 119 footnotes


Subject: Google Takes Gmail Security to the Next Level with Client-Side Encryption
Source: The Hacker News
https://thehackernews.com/2022/12/gmail-encryption.html

Google on Friday announced that its client-side encryption for Gmail is in beta for Workspace and education customers as part of its efforts to secure emails sent using the web version of the platform.This development comes at a time when concerns about online privacy and data security are at an all-time high, making it a welcome change for users who value the protection of their personal data.

To that end, Google Workspace Enterprise Plus, Education Plus, and Education Standard customers can apply to sign up for the beta until January 20, 2023. It’s not available to personal Google Accounts.

“Using client-side encryption in Gmail ensures sensitive data in the email body and attachments are indecipherable to Google servers,” the company said in a post. “Customers retain control over encryption keys and the identity service to access those keys.”

It is important to know that the latest safeguards offered by Gmail is different from end-to-end encryption.

Site RSS feed: https://feeds.feedburner.com/TheHackersNews


Subject: ‘I feel violated’: Victims of wire-transfer fraud reveal how they lost thousands to scammers
Source: Nexstar Media Wire
https://www.nxsttv.com/nmw/news/i-feel-violated-victims-of-wire-transfer-fraud-reveal-how-they-lost-thousands-to-scammers/

(KTLA) – According to the FBI, about $2 billion is lost annually to wire-transfer fraud. Some cases involve newfangled payment apps, such as Zelle, while others rely on traditional fund transfers from bank accounts.In many cases, scammers are reaching out directly and attempting to gain their victims’ trust, according to experts.“Unfortunately, it’s being used by a lot of fraudsters who are using social engineering tricks to convince consumers that they work for the bank or they’re there to help them in some regard,” explained Linda Sherry, a director for Consumer Action.


Subject: Hunting for Mastodon Servers
Source: SANS Internet Storm Center
https://isc.sans.edu/diary/Hunting+for+Mastodon+Servers/29358

Since Elon Mush took control of Twitter, there has been considerable interest in alternative platforms to the micro-blogging network. Without certainty about Twitter’s future, many people switched to the Mastodon[1] network. Most of the ISC Handlers are now present on this decentralized network. For example, I’m reachable via @[email protected][2]. You can find our addresses on the Contact page [3]. A new social network means that it could be interesting to track access to it from corporate networks and/or sensitive systems. If people are afraid about Twitter’s future, attackers too, and there are chances that we will see more and more C2 communications through Mastodon.

However, there is a significant difference with Twitter. Mastodon is a decentralized platform. Mastodon is a free software that allows you to run your instance of the social network. The server owner can join (or not) the federated social network to allow people from different servers to interact (hopefully!). So, someone using the server mastodon.nz will be able to discuss with me, using infosec.exchange.

Current Handlers (scan for mastodon — I found 9 so far) https://isc.sans.edu/handler_list.html


Subject: Cybercrime (and Security) Predictions for 2023
Source: The Hacker News
https://thehackernews.com/2022/12/cybercrime-and-security-predictions-for.html

Threat actors continue to adapt to the latest technologies, practices, and even data privacy laws—and it’s up to organizations to stay one step ahead by implementing strong cybersecurity measures and programs.Here’s a look at how cybercrime will evolve in 2023 and what you can do to secure and protect your organization in the year ahead.

RSS Feed: https://feeds.feedburner.com/TheHackersNews


Subject: Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users
Source: Internet Crime Complaint Center (IC3) — FBI
https://www.ic3.gov/Media/Y2022/PSA221221

The FBI is warning the public that cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information.Methodology

Tips to Protect Yourself

Victim Reporting

RSS IC3.gov news: https://www.ic3.gov/rss.xml


Subject: What Privacy Experts Do About Their Own Digital Privacy
Source: Consumer Reports
https://www.consumerreports.org/electronics-computers/privacy/what-privacy-experts-do-about-their-own-digital-privacy-a6890252300/

Privacy experts often recommend fairly cumbersome techniques to keep companies from collecting too much of your personal information.But do they practice what they preach? Do these privacy professors, company executives, and researchers follow their own instructions for privacy health, or even take additional protective steps? Or do they secretly opt for convenience, carelessly sharing even intimate data?

We asked some top scholars and specialists in the field of digital privacy to reveal what they do to safeguard digital privacy in their own lives. We found a wide variety of practices. Like many of us, privacy professionals seem torn between the convenience offered by everyday technology and their desire to limit data collection.


Subject: More than 650,000 Samsung washing machines recalled
Source: UPI.com
https://www.upi.com/Top_News/US/2022/12/22/Home-Depot-Lowes-Samsung-washing-machines/4741671754298/

Samsung said in a statement that overheating occurs in the control panel of the affected washing machines. To rectify the issue, a software update is required.

Washers that are equipped with WiFi should automatically download the free software repair when they are plugged in and connected to the internet, Samsung said.


Subject: ByteDance employees spied on U.S. journalists, audit finds
Source: UPI.com
https://www.upi.com/Top_News/World-News/2022/12/23/tiktok-employees-spied/2261671804708/

In June, Buzzfeed reported that ByteDance employees in China had repeatedly accessed data from U.S. users.

Topics:

  • Business Dec. 23 (UPI) — An internal audit by TikTok’s parent company, ByteDance, revealed that employees tracked at least two journalists who were writing about the social media platform, according to an internal email viewed by Forbes, The New York Times and The Washington Post. The Bytedance employees accessed IP addresses and locations of the journalists to determine if they were in close proximity to ByteDance employees suspected of leaking information to the press. The head of audit and risk control at ByteDance, Song Ye, has left the company, and three employees, including TikTok’s head of internal audit, Chris Lepitak, have been fired in connection to the audit.
Posted in: Business Research, Cybercrime, Cyberlaw, Cybersecurity, Free Speech, KM, Privacy, Social Media, Technology Trends