Pete Recommends – Weekly highlights on cyber security issues, March 11, 2023

Subject: Biden Administration’s Cybersecurity Strategy Takes Aim at Hackers
Source: Gizmodo

The government has released its roadmap to creating a less hacker-friendly world. Here are the highlights.

Since taking office, Joe Biden has made it known that he’s going to take cybercrime seriously. It’s not the case that Biden is the world’s most tech-savvy octonarian, rather, he’s simply responding to security challenges that have developed on his watch—most notably a string of increasingly destructive cyberattacks that took place during his first year as president. The most recent iteration of the Biden administration’s efforts to make the internet a safer place is the government’s recently announced national cybersecurity strategy, which was published to the WH website on Thursday. The strategy could have major impacts on the government’s efforts to deter cybercriminals and, if effectively enacted, would have a big impact on multiple areas of the tech industry.

The full report on the government’s new strategy is 39 pages and thousands upon thousands of words but I slogged through it and attempted to distill it down to a mere 1,500-ish words.


Subject: Implications of 5G on the Future of American Labor
Source: gHacks Tech News

How 5G Will Affect American Jobs: Predictions and Implications – Apple recently announced their latest iPhone models in mid-October, which are the first smartphones designed to operate on 5G networks. This new advancement in cellular connectivity holds great potential, promising to provide fast internet access to anyone, anywhere, without the need for Wi-Fi.

The impact of 5G technology is vast and far-reaching. According to Will Knight of MIT Technology Review, 5G is expected to significantly impact industries such as manufacturing, robotics, and self-driving cars.

In exploring the potential implications of 5G on the future of work, various reports from think tanks and insights from industry experts suggest that it could lead to job growth and better employment opportunities.

However, it is important to keep in mind that some journalists caution people to temper their expectations about the capabilities of 5G. Brian X. Chen, for instance, warns that despite the hype around 5G, its current technical limitations mean that most Americans will not experience blazing-fast speeds anytime soon.


Subject: What to Do When Your Boss Is Spying on You
Source: WIRED

Employee monitoring increased with Covid-19’s remote work—and stuck around for back-to-the-office.

You’re not being paranoid. If you always feel like somebody’s watching you, as the song goes, you’re probably right. Especially if you’re at work.

Over the course of the Covid-19 pandemic, as labor shifted to work-from-home, a huge number of US employers ramped up the use of surveillance software to track employees. The research firm Gartner says 60 percent of large employers have deployed such monitoring software—it doubled during the pandemic—and will likely hit 70 percent in the next few years.

That’s right—even as we’ve shifted toward a hybrid model with many workers returning to offices, different methods of employee surveillance (dubbed “bossware” by some) aren’t going away; it’s here to stay and could get much more invasive.

As detailed in the book Your Boss Is an Algorithm, authors Antonio Aloisi and Valerio de Stefano describe “expanded managerial powers” that companies have put into place over the pandemic. This includes the adoption of more tools, including software and hardware, to track worker productivity, their day-to-day activities and movements, computer and mobile phone keystrokes, and even their health statuses.

This can be called “datafication” or “informatisation,” according to the book, or “the practice by which every movement, either offline or online, is traced, revised and stored as necessary, for statistical, financial, commercial and electoral purposes.”

Ironically, experts point out that there’s not sufficient data to support the idea that all this data collection and employee monitoring actually increases productivity. But as the use of surveillance tech continues, workers should understand how they might be surveilled and what, if anything, they can do about it.

Subject: New TPM 2.0 flaws could let hackers steal cryptographic keys
Source: bleeping computer

The Trusted Platform Module (TPM) 2.0 specification is affected by two buffer overflow vulnerabilities that could allow attackers to access or overwrite sensitive data, such as cryptographic keys. TPM is a hardware-based technology that provides operating systems with tamper-resistant secure cryptographic functions. It can be used to store cryptographic keys, passwords, and other critical data, making any vulnerability in its implementation a cause for concern.

While a TPM is required for some Windows security features, such as Measured Boot, Device Encryption, Windows Defender System Guard (DRTM), Device Health Attestation, it is not required for other more commonly used features.

However, when a Trusted Platform Module is available, Windows security features get enhanced security in protecting sensitive information and encrypting data.

The TPM 2.0 specification gained popularity (and controversy) when Microsoft made it a requirement for running Windows 11 due to its required boot security measures and ensuring that Windows Hello face recognition provides reliable authentication.

The TPM 2.0 vulnerabilities – The new vulnerabilities in TPM 2.0 were discovered by Quarkslab’s researchers Francisco Falcon and Ivan Arce who said the flaws could impact billions of devices. The vulnerabilities are tracked as CVE-2023-1017 (out-of-bounds read) and CVE-2023-1018 (out-of-bounds write).

The CERT Coordination Center has published an alert about the vulnerabilities and has been informing vendors for months, trying to raise awareness while mapping the impact. Unfortunately, only a handful of entities have confirmed they are impacted.

TPM is a highly-secured space that should theoretically be shielded even from malware running on the device, so the practical importance of these vulnerabilities shouldn’t be ignored or downplayed.


Subject: Browser Security report reveals major online security threats
Source: gHacks Tech News

LayerX has published its annual browser security report in which the company highlights the most prominent browser security risks of 2022. The report includes predictions and recommendations for 2023 as well.The report focuses on Enterprise environments, but several of its key takeaways apply to small business and home environments as well. The browser security threats of 2022 make up the largest part of the document, but users find predictions, recommendations and an interesting monthly overview of major security events in the report as well.

The nine major threats that LayerX identified in 2022 were the following ones:

  • Phishing attacks via high reputation domains.
  • Malware distribution via file sharing systems.
  • Data leakage through personal browser profiles.
  • Outdated browsers.
  • Vulnerable passwords.
  • Unmanaged devices.
  • High-risk extensions.
  • Shadow SaaS.
  • MFA bypass with AiTM attacks.

The recommendations focus on SaaS and Enterprise-grade protections, but all users may use the listed threats to improve security. For example, outdated browsers may be updated more frequently, and weak or reused passwords may be replaced with unique strong passwords.

The report is available for download here, but a short form needs to be filled out before the download link is made available.


Subject: How to avoid billion-dollar fines due to unsecured messaging apps
Source: VentureBeat

In September, the U.S. Security and Exchange Commission (SEC) issued $1.8 billion in fines to some of Wall Street’s biggest banks for their inability to keep private information secure when using internal communications. These banks, including Barclay’s, Bank of America, Citigroup Global Markets, Goldman Sachs, JP Morgan Chase and others, received these fines for their “widespread and longstanding failures to maintain and preserve work-related electronic communications,” according to a 451 Research report.While financial institutions were the latest to be hit, this is not an isolated incident. Businesses across all industries are at risk of compromised data through unreliable messaging apps. And with the rise in remote and hybrid work environments and the adoption of bring-your-own-device (BYOD) practices in the workplace, data breaches and ransomware attacks are increasingly surfacing. 451 Research’s report stated that 68% of workers use their personal smartphones for both personal and business purposes, putting private company and client information at risk.

This year, the price of a HIPAA violation increased to adjust for inflation. HIPAA violations are now subject to penalties of up to $60,226 per violation and up to $1,919,173 per calendar year. Unless a business has an extra few hundred thousand sitting around for penalty fines, they can’t afford to be non-compliant.


Subject: Americans Can’t Consent to Companies Use of their Data
Source: Annenberg School for Communication via beSpacific

Americans Can’t Consent [24-page PDF + footnotes] – Companies’ Use of Their Data – They Admit They Don’t Understand It, Say They’re Helpless to Control It, and Believe They’re Harmed When Firms Use Their Data —Making What Companies Do Illegitimate: A Report from the Annenberg School for Communication, University of Pennsylvania – “Overview – Consent has always been a central part of Americans’ interactions with the commercial internet. Federal and state laws, as well as decisions from the Federal Trade Commission (FTC), require either implicit (“opt out”) or explicit (“opt in”) permission from individuals for companies to take and use data about them. Genuine opt out and opt in consent requires that people have knowledge about commercial data-extraction practices as well as a belief they can do something about them. As we approach the 30th anniversary of the commercial internet, the latest Annenberg national survey finds that Americans have neither. High percentages of Americans don’t know, admit they don’t know, and believe they can’t do anything about basic practices and policies around companies’ use of people’s data….

In short, we find that informed consent at scale is a myth, and we urge policymakers to act with that in mind.”

Subject: A.I. in beSpacific
Source: beSpacific

So far, there are 72 pages of A.I. article summaries in beSpacific starting with this first posting: October 2016.

Learning to Protect Communications with Adversarial Neural Cryptography, Martın Abadi and David G. Andersen – Google Brain. 21 October 2016.

A related category:

113 pages of abstracted summaries starting

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: Watchdog says US cyber agency lacks a plan for communicating during major hacks
Source: CNN Politics

More than two years after an alleged Russian hacking campaign exposed glaring weakness in US federal defenses, the Department of Homeland Security’s cyber agency has not updated a key agency blueprint for maintaining communications in the event of a major hack, the department’s inspector general said Monday. The watchdog’s finding highlights the continued fallout from the 2020 Russian cyber-espionage campaign, which infiltrated at least nine US federal agencies and prompted major changes to US cybersecurity policy.

In the two years since the campaign’s discovery, DHS’s Cybersecurity and Infrastructure Security Agency has “improved its ability to detect and mitigate risks from major cyberattacks, but work remains to safeguard Federal networks,” the inspector general’s report says.

CISA also still needs to update its “continuity of operations plan” and a separate backup plan for communicating securely in the event of another breach, the inspector general said. In a written response to the inspector general, CISA officials said that updates to both plans will come this year.

Subject: Hacked Coinbase User Sues Crypto Exchange for $96,000 Life Savings Lost
Source: Markets Insider — Currencies

  • A Coinbase user is suing the exchange to recover 90% of his life savings that he says was stolen from him, lawsuit claims.
  • The user said Coinbase won’t reimburse him and it sees the breach as his problem.
  • But the exchange ignored several red flags for fraud, he alleges in his claim for triple damages.

But the exchange has said it won’t reimburse Ferguson and said in an email that customers are responsible for any activity that occurs when devices or passwords are compromised, according to the suit.

“Please note you are solely responsible for the security of your e-mail, your passwords, your 2FA codes, and your devices,” the exchange said, according to the filing.

The exchange ignored several red flags for fraud during the theft, he said, such as the use of a new device and password reset, and that it didn’t use the facial recognition he had put in place.

“Coinbase’s willful blindness to the many badges of fraud present here constituted bad faith acceptance of the unauthorized payment orders,” the lawsuit said.


Subject: Best Buy announces partnership with Atrium Health to provide home healthcare

March 7 (UPI) — Best Buy struck a deal with Atrium Health on Tuesday that will enable its Geek Squad to help set up virtual hospital rooms.The three-year deal with the North Carolina-based healthcare system will allow Best Buy’s Geek Squad to go to patients’ homes and set up technology that remotely monitors a person’s heart rate, blood oxygen level and other vitals. They also will train the patient on how to use the devices and share the data with doctors and nurses.

Last month, Amazon also entered the healthcare business by acquiring membership-based primary care provider One Medical.

Subject: ADHD-Friendly Browser Looks to Curb Distractions Online
Source: Gizmodo

An ADHD-friendly browser launched today and features tools to better help those easily distracted minimize the noise online. Dubbed a “productivity browser,” Sidekick protects the user’s data while also aiming to help focus their attention by making “the internet distraction-free.”In a world where the internet is typically required in office settings and as online distractions skyrocket, Sidekick helps the user better pay attention to their work scope. It eliminates the number of ads users see so they aren’t sidetracked as they search the web, and unlike other search engines, Sidekick doesn’t make money by selling ads but instead gets funding through subscriptions, according to the site.

Sidekick does have some competition out there, with other productivity-focused browsers such as Arc and Vivaldi.

Subject: AI chatbots may have a liability problem
Source: WaPo
During oral arguments last week for Gonzalez v. Google, a case about whether social networks are liable for recommending terrorist content, the Supreme Court stumbled on a separate cutting-edge legal debate: Who should be at fault when AI chatbots go awry?
While the court may not be, as Justice Elena Kagan quipped, “the nine greatest experts on the internet,” their question could have far-reaching implications for Silicon Valley, according to tech experts.
Justice Neil M. Gorsuch posited at the session that the legal protections that shield social networks from lawsuits over user content — which the court is directly taking up for the first time — might not apply to work that’s generated by AI, like the popular ChatGPT bot.

In the past, courts have found that Section 230, a law shielding tech platforms from being liable for content posted on their sites, applies to search engines when they link to or even publish excerpts of content from third-party websites.

But there’s a case to be made that the output of a chatbot would be considered content developed, at least in part, by the search engine itself — rendering Google or Microsoft the “publisher or speaker” of the AI’s responses.

If judges agree, that could expose tech companies to a flood of lawsuits accusing their chatbots of everything from providing libelous descriptions to offering faulty investment advice to aiding a terrorist group in crafting its recruiting materials.

Subject: GSA officials misled agencies about Login-dot-gov
Source: FCW

The agency’s inspector general blasted GSA officials for claiming that its identity proofing website met NIST guidelines for biometric comparison, charging millions for it, when it did not.General Services Administration officials misled federal agencies over a period of years about its identity and authentication single sign-on service,, meeting government standards for identity proofing, according to a bombshell watchdog report released Tuesday.

GSA officials included claims about meeting National Institute of Standards and Technology standards in interagency agreements, billed agencies over $10 million for services that purported to meet those standards – but did not – for years and included those false statements in its Technology Modernization Fund application as well.

Specifically, GSA officials misled agencies about meeting the digital proofing standard, “identity assurance level 2,” set out by NIST. For to clear that threshold for its digital identity proofing, it would have to include a biometric marker such as facial recognition technology, which it does not.

The watchdog found 18 interagency agreements that claimed that met or was consistent with IAL2 between September 2018 and January 2022.

GSA has also “reassigned” the former director, hired a new director and created a steering committee, according to the report. Hashmi said that the agency is “making sure that any individuals who are found to be in violation of the policy are being held accountable.”

In 2021, the then TTS director Dave Zvenyach decided not to pursue the use of selfie matches or liveness technology for Government use of facial recognition as an identity tool was in the spotlight at the time because of the news that the IRS was backing away from a requirement that users of a direct filing tool authenticate themselves with a selfie video.


Subject: How data breaches lead to fraud risk
Source: GCN

By understanding the type and severity of data breaches, agencies can see where they should focus their efforts to curb identity fraud and prevent further victimization.Medical identity theft tops a list of five fraud trends that state, local and federal agencies must prioritize protecting.

Overall, more than the personally identifiable information (PII) of more than 22 million Americans was exposed in data breaches during the last quarter of 2022, according to “Public Sector Breach Intelligence Dashboard,” a report by TransUnion, a national consumer reporting company, and Sontiq, which TransUnion acquired in 2021. To produce the report, researchers analyzed data since 2020 from Sontiq’s BreachIQ solution, an artificial intelligence algorithm that looks at more than 1,300 data points based on information from publicly reported data breaches, fraud risk patterns and feeds from the Dark Web and online criminal forums.

“It was surprising to me to see that number so high,” said Jeff Huth, senior vice president of TransUnion’s public-sector business. “The other [surprising] thing for me was just the sheer volume and increasing volume of the number of breaches, including the high-risk data breaches,” he said.

Subject: A happy compromise between people-first and plain language

It’s not impossible to use people-first and plain language at the same time. And before you ask, they’re not contradictory, either.It’s fairly simple. Identify someone as a person first, and then put the descriptor you need to mention afterward.

During her presentation at the 2022 Federal Plain Language Summit, Donna Ledbetter, a technical writer and editor with the National Institute of Corrections of the Department of Justice’s Federal Bureau of Prisons, said that plain language and people-first language are “not opposing concepts, but rather, it’s a union; a partnership.”

Plain language requires us to omit needless words. If you need four words to describe a person, that’s OK. People-first language is still plain when the words are all necessary and people know what they mean.

What is people-first language? People-first language is about word choice and being thoughtful about how you choose to describe someone.



Subject: Your user data can be the prosecution’s star witness
Source: Android Central

All tech companies comply with warrants and they always will.

This isn’t the only case where user data was used to provide police with evidence used to prosecute abortion-seekers in states where it is illegal, and it certainly won’t be the last. It’s easy to be upset with Facebook here because they provided the information, but they had to. The company was provided with a legitimate request from law enforcement and there is only one option that doesn’t result in charges — comply.

Technology like the smartphone has made our lives more convenient and interconnected than ever before. However, with the benefits of technology come some serious concerns, especially when it comes to data privacy. One of the most significant issues in this area is the extent to which tech companies should provide user data to law enforcement when presented with a warrant. This is a complex issue with two distinct sides.

Use encryption for messages. Stop sharing every damn thing about yourself on the internet. Turn things like location access off whenever you can. Shut off Bluetooth unless you’re at home. If you’re going to do something that you don’t want anyone to know about, leave your phone at home.

These are all common sense things that we shouldn’t have to do but here we are.

Subject: Science & Tech Spotlight: Securing Data for a Post-Quantum World
Source: U.S. GAO

Cryptography uses math to secure or “encrypt” data—helping governments, businesses, and others protect sensitive information. While current encryption methods are nearly impossible for normal computers to break, quantum computers could quickly and easily break certain encryptions and put data at risk.This spotlight looks at how to better secure data before quantum computers capable of breaking those encryption methods are ready in possibly 10-20 years. Researchers have developed and are standardizing encryption methods capable of withstanding the threat. The longer it takes to implement these new methods, the higher the risk to data security.


Science and Technology


Computers; Sensitive data; Electronic signatures; National security; Information security; Personally identifiable information; Federal agencies; Information sharing; Mathematics; Authentication

Subject: The Quick and the Dead: building up cyber resilience in the financial sector
Source: Euro Cyber Resilience Board

Introductory remarks by Fabio Panetta, Member of the Executive Board of the ECB, at the meeting of the Euro Cyber Resilience Board for pan-European Financial Infrastructures, Frankfurt am Main, 8 March 2023 – “The proliferation of cyber threat actors combined with an increase in remote working and greater digital interconnectedness is raising the risk, frequency and severity of cyberattacks. Increasingly, cyber criminals are launching ransomware attacks and demanding payment in crypto. Cyberattacks related to geopolitical developments – Russia’s aggression against Ukraine in particular – have also become a more common feature of the cyber-threat landscape. …

Posted in: AI, Cryptocurrency, Cybercrime, Financial System, Government Resources, Privacy