Pete Recommends – Weekly highlights on cyber security issues, February 18, 2023

Subject: Week in review: VMware ESXi servers under attack, ChatGPT’s malicious potential, Reddit breached
Source: Help Net Security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos…


Subject: Now for sale: Data on your mental health
Source: Waashington Post via Mastodon @bespacific

“New study from research team at Duke Univ Sanford School of Public Policy outlines how expansive market for people’s #HealthData has become. After contacting #DataBrokers to ask what kinds of #MentalHealth info she could buy, researcher Kim reported she ultimately found 11 companies willing to sell bundles of data that included info on what antidepressants people were taking, whether they struggled with insomnia or attention issues, & details on other medical ailments,

Subject: Original Tweets Only: Retweeters Not Liable for Defamation
Source: ABA via beSpacific

ABA: “Re-posters of digital content are not liable for statements they did not author. Only the original creators of digital content can be held liable for defamatory statements, not the re-posters of slanderous posts. The court in Banaian v. Bascom held that persons who reshared original content should not be held to the same standard as those who originally created the content. In so doing, the court analyzed a portion of the Communications Decency Act (CDA) in determining that the statute’s plain meaning safeguards all re-posters of content that other authors first create and share…”–

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: Cybersecurity High-Risk Series: Challenges in Protecting Privacy and Sensitive Data
Source: U.S. GAO

Fast Facts – Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.

In this report, the last in a series of four, we cover the 2 actions related to Protecting Privacy and Sensitive Data:

  • Improve federal efforts to protect privacy and sensitive data, such as reducing the cybersecurity risks in retirement plans
  • Improve the protection of federally collected and maintained personal and sensitive data

We’ve made 236 public recommendations in this area since 2010. Nearly 60% of those recommendations had not been implemented as of December 2022.

Subject: Prosecutors Say Sam Bankman-Fried Is Getting Around Surveillance With a VPN
Source: Gizmodo

Federal prosecutors are squinting pretty hard, trying to keep an eye on what the failed FTX founder Sam Bankman-Fried has been doing while he’s been ordered by the court to live under his parents’ roof. The young crypto founder has reportedly been accessing the internet using a VPN, and the U.S. Attorneys Office is concerned that could mean he’s accessed crypto services or is communicating with folks involved in the case.In a letter sent to New York federal Judge Lewis Kaplan on Monday, prosecutors said Bankman-Fried used a VPN on Jan. 29 and Feb. 12. This had them concerned that SBF was trying to keep his activities hidden from government surveillance.

Of course, VPN use is not in and of itself any sign of trying to get around those who might track online activity, although VPNs are widely used against surveillance, and to access content that’s restricted in a home country. Prosecutors are concerned it could mean SBF could be trying to trade crypto, which would violate the conditions of his bail.


Subject: DDoS attacks are getting more sophisticated, HHS warns healthcare orgs
Source: Becker’s Healthcare

The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a brief Feb. 13 advising healthcare organizations on how to protect their internet-connected devices and networks from Distributed Denial of Service attacks.

Eight things to know about DDoS attacks:

  • Hackers are more inclined to use DDoS attacks as it is cost effective, and requires relatively low resources and technical skills.
  • HHS warned that these attacks are getting more sophisticated and complex while getting easier and cheaper to perpetrate.
  • Hackers can use DDoS attacks at any stage of an attack.
  • DDoS attacks increased by 67 percent year-on-year and 24 percent quarter-on-quarter, according to the HHS.
  • Hackers will use web application attacks, such as DDoS attacks, to target an organization’s most exposed infrastructure.
  • To defend against these attacks, healthcare organizations should implement user data protocol, SYN, and transmission control protocol.
  • Healthcare organizations should also work to identify services and devices that may be exposed to the public internet, vulnerabilities and how a user base connects to networks.
  • ‘Killnet,’ a Russian-based hacking group recently deployed a DDoS attack on hospital and health system websites across the U.S


Subject: Online Privacy for Nonprofits: A Guide to Better Practices
Source: Electronic Frontier Foundation

Read the blog post about why you should minimize data collection.

Table of Contents:

Have Suggestions? We Want to Hear From You

[various EFF Privacy topics … ]

Subject: How to Prepare for a Lost, Stolen or Broken Smartphone
Source: New York Times

The New York Times: “You may never have to deal with a missing device, but planning ahead with a few simple steps can make it easier if disaster strikes. The average smartphone contains so much of one’s personal life — photos, list of contacts, calendar, email, digital wallet — that the loss of that handy slab of glass and metal can be highly disruptive and disorienting. You may never have to face this situation, but you would be wise to plan for it, especially if you have children with their own phones. Here’s a guide to what you can do before and after you lose or break your phone…”–

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: Justice, Commerce departments form strike team to defend U.S. technology

Feb. 16 (UPI) — The Justice and Commerce departments announced Thursday the start of the Disruptive Technology Strike Force to prevent top tech and digital secrets from being stolen by other countries.Last month, FBI Directory Christopher Wray expressed dire concerns about cyberattacks and hacks from Russia and China at the World Economic Forum. He said emerging global threats included ransomware, cyberattacks, and economic espionage.

“Today, autocrats seek tactical advantage through the acquisition, use, and abuse of America’s most innovative technology,” Deputy Attorney General Lisa Monaco said in a statement. “They use it to enhance their military capabilities, support mass surveillance programs that enable human rights abuses and all together undermine our values.”

The department said adversaries are looking for various advance technologies like supercomputing and exascale computing, artificial intelligence, advanced manufacturing equipment and materials, quantum computing, and biosciences.

Subject: ChatGPT Amendment Shows the EU is Regulating by Outrage
Source: Center for Data Innovation via beSpacific

Center for Data Innovation, Patrick Grady February 13, 2023: “The EU is considering placing generative artificial intelligence (AI) tools, such as ChatGPT, in a “high risk” category in its upcoming AI bill, thereby subjecting such tools to burdensome compliance requirements. This sloppy addition needlessly stunts creativity and shows the EU is hitting the panic button instead of carefully considering the benefits and risks of new technologies. The AI Act targets so-called “high risk” applications of AI—including those used in public services, law enforcement, and judicial procedures—that must comply with the strictest requirements, including conformity assessments, technical documentation, monitoring, and oversight measures. A new proposal would dump AI systems that generate complex text (chatbots) in a new high risk category despite their low risk. AI-powered chatbots can generate complex text from limited human input and fulfill various functions, from writing recipes, poems, scripts, and articles to Internet searches, creative ideation, and summarizing texts. Like many new technologies, AI chatbots have evoked familiar panic: Doomsayers prophesize such tools will destroy education, create catastrophic redundancies, confuse and control the masses—or become sentient (and sad about it). …In addition to ChatGPT, which people already use for a range of valuable functions, this amendment would carelessly assign as “high risk” other helpful and harmless tools, including:


Subject: Federal Trade Commission charges supplement company, says it manipulated product reviews on Amazon

Feb. 16 (UPI) — For the first time, the Federal Trade Commission has filed charges against a company for so-called “review hijacking.” The FTC complaint, filed Thursday, alleges that the Bountiful supplement company manipulated product reviews on Amazon.

“Bountiful carried out this deceptive tactic by merging its new products on Amazon with different well-established products that had more ratings, reviews,” the FTC said in a press release Thursday.

The complaint alleges that Bountiful abused an Amazon feature that allows products to be displayed in “variation” relationships, where similar products with minor differences share reviews. By requesting variations for their newer products, Bountiful took advantage of products that had already received reviews, giving the impression that the new products were well-rated.

Subject: Justice Department Debuts ‘Disruptive Technology Strike Force’
Source: Gizmodo

The U.S. says it’s punching back in the digital cold war over emerging technologies with a new “Disruptive Technology Strike Force.”

“Our goal is simple but essential—to strike back against adversaries trying to siphon off our best technology,” a deputy attorney general said.

The strike force, a joint initiative created by the Department of Justice and the Commerce Department reportedly, will focus on combating “adversaries” attempting to steal crucial U.S. tech secrets and attack supply chains. DOJ officials say the new agency will use a combination of “intelligence and data analytics,” to detect early warning of signs of cyber threats and, hopefully, prevent rival nations from “weaponizing data” against the U.S. The strike force will operate in 12 metropolitan regions spread out across the U.S. and include experts from the FBI and Department of Homeland Security. Intellectual property is most often stolen through cyberattack, making the Disruptive Technology Strike Force something of a “hack back” squad.

Part of that striking back could reportedly entail leaning further into proactive effects to reach out and “target illicit actors” before they get a chance to make off with valuable secrets. Monaco, according to Bloomberg, said the U.S. government is already taking action to detect and deter bad actors in addition to actively “disrupting cyber-attacks.”

The agency stated intent to strike back again and “target illicit actors” could also have long-term unintended consequences. Efforts by the DOJ or Commerce Department to launch their own proactive or retaliatory attacks against illicit foreign actors risks potentially spiraling into larger tit-for tat cyber campaigns with devastating consequences. Properly attributing the exact origins of cyberattacks is also notoriously difficult as attackers often route their attacks though other machines. That means retaliatory attacks led by the U.S. strike force could risk hav to contend with unintended collateral damage.

Posted in: AI, Cybercrime, Cybersecurity, Healthcare, Intellectual Property, Social Media