Pete Recommends – Weekly highlights on cyber security issues, December 3, 2022

Subject: 5 cybersecurity predictions for 2023
Source: Help Net Security
https://www.helpnetsecurity.com/2022/11/25/top-cybersecurity-predictions-2023/

The cyber game is now an entire underground economy wrapped around cyberattacks. Thanks to increased international friction and the activity of groups such as Lapsus$, cybercriminals have upped the ante on cybercrime in order to turn a profit. Atakama outlines its top cybersecurity predictions for 2023.

Daniel H. Gallancy, CEO of Atakama adds: “Cyberthreats will continue to proliferate in number and grow in sophistication throughout 2023. While basic security practices will prevent many breaches, organizations are going to need more advanced solutions to protect themselves from the devastating consequences of a successful attack.”

More about
Subject: 5.4 million Twitter users’ stolen data leaked online — more shared privately
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/54-million-twitter-users-stolen-data-leaked-online-more-shared-privately/

Over 5.4 million Twitter user records containing non-public information stolen using an API vulnerability fixed in January have been shared for free on a hacker forum.Another massive, potentially more significant, data dump of millions of Twitter records has also been disclosed by a security researcher, demonstrating how widely abused this bug was by threat actors.

The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public.

Tags:

Subject: A Peek Inside the FBI’s Unprecedented January 6 Geofence Dragnet
Source: Wired via beSpacific
https://www.bespacific.com/a-peek-inside-the-fbis-unprecedented-january-6-geofence-dragnet/

Wired – “The FBI’s biggest-ever investigation included the biggest-ever haul of phones from controversial geofence warrants, court records show. A filing in the case of one of the January 6 suspects, David Rhine, shows that Google initially identified 5,723 devices as being in or near the US Capitol during the riot. Only around 900 people have so far been charged with offenses relating to the siege. The filing suggests that dozens of phones that were in airplane mode during the riot, or otherwise out of cell service, were caught up in the trawl. Nor could users erase their digital trails later. In fact, 37 people who attempted to delete their location data following the attacks were singled out by the FBI for greater scrutiny. Geofence search warrants are intended to locate anyone in a given area using digital services. …–

And from Wired:

Andrew Ferguson, a professor of law at American University, agrees. “And that worries me because the January 6 cases are going to be used to build a doctrine that will essentially enable police to find almost anyone with a cellphone or a smart device in ways that we, as a society, haven’t quite grasped yet,” he says. “That is going to undermine the work of journalists, it’s going to undermine political dissenters, and it’s going to harm women who are trying to get abortion services.”

Other wired articles: https://www.wired.com/category/security/

RSS: https://www.wired.com/feed/category/security/latest/rss

Subject: Thinking about taking your computer to the repair shop? Be very afraid
Source: Ars Technica
https://arstechnica.com/information-technology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-data-study-finds/

Not surprisingly, female customers bear the brunt of the privacy violations.If you’ve ever worried about the privacy of your sensitive data when seeking a computer or phone repair, a new study suggests you have good reason. It found that privacy violations occurred at least 50 percent of the time, not surprisingly with female customers bearing the brunt.

Researchers at University of Guelph in Ontario, Canada, recovered logs from laptops after receiving overnight repairs from 12 commercial shops. The logs showed that technicians from six of the locations had accessed personal data and that two of those shops also copied data onto a personal device. Devices belonging to females were more likely to be snooped on, and that snooping tended to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.

Filed: https://arstechnica.com/information-technology/

RSS: https://arstechnica.com/information-technology/feed/

Subject: Redacted Documents Are Not as Secure as You Think
Source: WIRED
https://www.wired.com/story/redact-pdf-online-privacy/

For years, if you wanted to protect sensitive text in a document, you could grab a pair of scissors or a scalpel and cut out the information. If this didn’t work, a chunky black marker pen would do the job. Now that most documents are digitized, securely redacting their contents has become harder. The majority of redactions—by government officials and courts—involve placing black boxes over text in PDFs.When this redaction is done incorrectly, people’s safety and national security can be put at risk. New research from a team at the University of Illinois looked at the most popular tools for redacting PDF documents and found many of them wanting. The findings, from researchers Maxwell Bland, Anushya Iyer, and Kirill Levchenko, say two of the most popular tools for redacting documents offer no protection to the underlying text at all, with the text accessible by copying and pasting it. Plus, a new attack method they devised makes it possible to extract secret details from the redacted text.
The flaws aren’t just theoretical. After examining millions of publicly available documents with blacked-out redactions—including from the US court system, the US Office of the Inspector General, and Freedom of Information Act requests—the researchers found thousands of documents that exposed people’s names and other sensitive details….

Topics:

security
cybersecurity
privacy

Subject: South Dakota governor bans TikTok over ties to Chinese gov’t
Source: UPI.com
https://www.upi.com/Top_News/US/2022/11/30/South-Dakota-bans-TikTok/2781669790238/

Nov. 30 (UPI) — South Dakota Gov. Kristi Noem has banned state employees and contractors from using social media platform TikTok on their electronic devises over fears the smartphone application could be used to collect U.S. user data for China.The ban, which goes into immediate effect, was imposed Tuesday via executive order that prohibits users of state-owned electric devices from using them to download the TikTok application and to visit the social media company’s website.

The announcement comes amid growing concerns that the Chinese Communist Party could force the social media platform’s Chinese-based company ByteDance to collect data for it from U.S. users.

Subject: HHS Office for Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information
Source: HHS.gov
https://www.hhs.gov/about/news/2022/12/01/hhs-office-for-civil-rights-issues-bulletin-on-requirements-under-hipaa-for-online-tracking-technologies.html

Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin to highlight the obligations of Health Insurance Portability and Accountability Act of 1996 (HIPAA) on covered entities and business associates (“regulated entities”) under the HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) when using online tracking technologies. These online tracking technologies, like Google Analytics or Meta Pixel, collect and analyze information about how internet users are interacting with a regulated entity’s website or mobile application.Some regulated entities regularly share electronic protected health information (ePHI) with online tracking technology vendors and some may be doing so in a manner that violates the HIPAA Rules. The HIPAA Rules apply when the information that regulated entities collect through tracking technologies or disclose to tracking technology vendors includes ePHI. Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.

Today’s bulletin addresses potential impermissible disclosures of ePHI by HIPAA regulated entities to online technology tracking vendors. The Bulletin explains what tracking technologies are, how they are used, and what steps regulated entities must take to protect ePHI when using tracking technologies to comply with the HIPAA Rules. Specifically, the Bulletin provides insight and examples of:

RSS: https://www.hhs.gov/rss/news.xml

Subject: Twitter Is No Longer Secure, According to Former Safety Chief
Source: tech.co
https://tech.co/news/twitter-is-not-secure-former-safety-chief

As Musk continues to make sweeping changes to Twitter, including reinstating banned users, ditching moderation plans, and decimating teams designed to protect users, the company’s former Head of Trust & Safety thinks safety on the app can no longer be guaranteed.And it’s not just former staffers that hold these concerns. As Musk continues to remove the platform’s checks and balances, advertisers are dropping like flies — with 50 of the top 100 agencies fleeing the app within the past week.

As recent events have shown, the safety and security of Twitter users have never been Musk’s top priority. But could this freefall in ad revenue be enough to change the billionaire’s tact?

More shocking still, a recent report by Bloomberg has revealed that Musk has significantly reduced the size of the team responsible for tackling child sexual exploitation on the platform. The team, which was already being pushed to its limits before Musk’s takeover, has been cut in half, leaving ten people left to tend to all cases of child exploitation on the app.

Tags

Subject: LLRX Pete Recommends Subjects (tags) for the month
Source: LLRX
Site: https://llrx.com/
Subject: Police arrest 55 members of ‘Black Panthers’ SIM Swap gang
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/police-arrest-55-members-of-black-panthers-sim-swap-gang/

The Spanish National Police have arrested 55 members of the ‘Black Panthers’ cybercrime group, including one of the organization’s leaders based in Barcelona.The gang was operating four specialized activity cells dedicated to social engineering, vishing (voice phishing), phishing, and carding, having a very organized structure.

The arrested leader coordinated the cells and recruited new members and money mules.

“The criminal group consisted of a network structure, made up of interconnected and perfectly defined action cells, whose division of tasks dealt with knowledge, accessibility to stolen information, and experience,” reads the police’s announcement.

The ultimate goal of the gang was to perform SIM swapping attacks, which is to port a target’s phone number to the attacker’s device. By porting the number, the attackers now gain access to the victim’s text messages and can use it to bypass 2FA protection on their bank accounts and empty them.

For the SIM swapping, the fraudsters used a combination of phishing, vishing, and call forwarding to impersonate the identities of their targets when talking to mobile service provider customer support agents.

In some cases, the scammers even acted as service technicians for local reseller offices of the targeted telecom firms, stealing the account credentials of their employees.

Filed: https://www.bleepingcomputer.com/news/security/

Subject: Cops Can Extract Data From 10,000 Different Car Models’ Infotainment Systems
Source: Forbes
https://www.forbes.com/sites/thomasbrewster/2022/12/01/10000-cars-can-be-data -raided-by-police-ice-cbp-love-it/

As cybersecurity researchers detail a flaw that allowed them to unlock and start Honda and Nissan cars from anywhere in the world, border and immigration agencies are buying up tech to exploit weaknesses in vehicle security.For anyone with a Honda or Nissan car, it was possible for a hacker with a laptop to unlock or start their vehicles, locate them and raid personal data stored inside, cybersecurity researchers warned on Wednesday. They could even honk the horn.

The hack highlighted a weakness in modern vehicles’ internet-connected systems, in particular those that track vehicle use and location, while hooking up to drivers’ cellphones and sucking in user data. They’re the same technologies that are regularly being exploited by federal law enforcement agencies, with immigration and border cops investing more than ever before on tools that extract masses of data—from passwords to location—from as many as 10,000 different car models.

The latest vulnerability was due to a now-fixed flaw in the cars’ shared telematics system—which records data like speed, and brake and door use—created by SiriusXM, according to researcher Sam Curry. The only data he needed to start the hack was a car’s identifying number, known as a VIN, easily retrievable from a windshield on many models. Using what the researcher called a “simple” computer program, Curry could take the VIN number and send it to a SiriusXM server as a kind of fake identification, tricking it into believing he was the real car owner. The program would then ask SiriusXM to pull the personal data stored in the car, turn on the ignition or perform other functions.

Filed: https://www.forbes.com/cybersecurity/

LinkedIn
Posted in: Big Data, Congress, Cybercrime, Cybersecurity, Email, Email Security, KM, Privacy, Search Engines, Search Strategies, Social Media, Spyware, Travel