Pete Recommends – Weekly highlights on cyber security issues, June 11, 2023

Subject: FTC Slams Amazon with $30.8M Fine for Privacy Violations Involving Alexa and Ring
Source: The Hacker News

The U.S. Federal Trade Commission (FTC) has fined Amazon a cumulative $30.8 million over a series of privacy lapses regarding its Alexa assistant and Ring security cameras. This comprises a $25 million penalty for breaching children’s privacy laws by retaining their Alexa voice recordings for indefinite time periods and preventing parents from exercising their deletion rights.

“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” FTC’s Samuel Levine said.

As part of the court order, the retail giant has been mandated to delete the collected information, including inactive child accounts, geolocation data, and voice recordings, and prohibited from gathering such data to train its algorithms. It’s also required to disclose to customers its data retention practices.

Amazon has also agreed to fork out an additional $5.8 million in consumer refunds for breaching users’ privacy by permitting any employee or contractor to gain broad and unfettered access to private videos recorded using Ring cameras.

Subject: What we *should* be worrying about with AI
Source: RISKS Digest

What we *should* be worrying about with AI – Lauren Weinstein <[email protected]>Wed, 31 May 2023 19:11:27 -0700

We shouldn’t be worrying about AI wiping out humanity. That’s a smokescreen. That’s sci-fi. We need to worry about the *individuals* now and in the near future who can be hurt by the premature deployment of generative AI systems that spew wrong answers and lies, and then when asked for confirmation, lie about their own lies! And just popping up warnings to users is useless, because you know and I know that hardly anyone will read those warnings or pay any attention to them whatsoever. [Remember the boy who cried wolf too often—when there was one. PGN]

Subject: Office of Civil Rights Issues Guidance on HIPAA Compliant Use of Meta Pixels
Source: ABA

ABA: “A Meta Pixel is a code embedded in websites that tracks users’ online activities and sends such activities as discrete packets of user data to Meta, the parent company of Facebook. The Meta Pixel can track “users as they navigate through a website, logging which pages they visit, which buttons they click, and certain information they enter into forms.” In return for embedding the Pixel in a website, a website owner is provided with analytics about advertisement and tools to better target website visitors. Meta can couple the data provided via the Pixel with its own database of Facebook users to re-identify users, provide targeted ads based on health conditions, or to sell the data on to third-party advertisers. Meta Pixels, and cookies in general, are broadly used by many companies on a variety of websites. The Markup Investigation Spotlights Meta Pixels Embedded in U.S. Hospital Websites – In June 2022, the use of Meta Pixels specifically in U.S. hospital websites came to the public’s attention because of the Markup’s investigative article. …

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: 2023 Verizon Data Breach Investigations Report
Source: The Verizon DBIR Team [H/T JimW] [89-page PDF]

2023 DBIR Introduction “Success is stumbling from failure to failure with no loss of enthusiasm.” —attributed to Sir Winston Churchill

Hello and welcome old friends and new readers to the 2023 Verizon Data Breach Investigations Report! We are happy to have you join us once again as we take a look at the sordid underbelly of cybercrime and see what lessons we may collectively learn from doing so. It often seems that with every new defense strategy, appliance or Please-Save-Us-As-A-Service we create, buy or borrow, our adversaries are just as quick to adapt and find a new vantage point from which to attack. While this state of affairs is already unfortunate enough, it becomes worse still when we do not even require them to evolve their tactics because the old ones still work just fine.Regardless of where we fall on the crazy-secure to not-so-secure spectrum, the quote above is a good road map to cybersecurity (and life in general). This report aims to take a look at the times when things did not work as intended—not to point fingers but to help us all learn and improve. In a time where almost everyone, corporations and individuals alike, is looking at ways to do more with less, we believe a close analysis of when our defenses failed can be very beneficial. While times of great change are always challenging, they often also prompt us to take stock of our situation and, if necessary, refocus both our viewpoint and our energies. Such is the case with the DBIR this year. As a team, we decided to take a step back toward the fundamental things that got us where we are, an intense focus on actual data breaches analyzed using our own VERIS Framework. And speaking of VERIS, one of the new goodies this refocusing brings is an even better mapping between VERIS and MITRE ATT&CK through a collaboration with MITRE Engenuity and the Center for Threat Informed Defense (CTID). It also helps that our parent organization, the Verizon Threat Research Advisory Center (VTRAC), shared the most breaches ever for us to analyze. Did you know it is VTRAC’s 20th anniversary this year? Save us a slice of that cake, boss!

As long-time readers will know, over the past few years, we have increasingly utilized non-incident data to add depth and dimension to our breach findings via various forms of research and analysis. While that remains a big part of what we do, as mentioned above, we did take purposeful steps toward a more direct focus on the breach side of the house this year. In short, the result of this was to make the report more concise and succinct and less unwieldy. This year we analyzed 16,312 security incidents, of which 5,199 were confirmed data breaches. As always, we hope you find this information informative, useful, easy to understand and actionable.

2023 DBIR Table of contents

Helpful definitions and chart guidance 4
Introduction 7
Summary of findings 8
Results and analysis
Introduction 11
Actors 12
Actions 14
Assets 17
Attributes 19
Incident Classification Patterns
Introduction 22
System Intrusion 24
Social Engineering 31
Basic Web Application Attacks 35
Miscellaneous Errors 40
Denial of Service 42
Lost and Stolen Assets 44
Privilege Misuse 46
Introduction 49
Accommodation and Food Services 53
Educational Services 54
Financial and Insurance 55
Healthcare 56
Information 57
Manufacturing 58
Mining, Quarrying, and
Oil & Gas Extraction + Utilities 59
Professional, Scientific
and Technical Services 61
Public Administration 62
Retail 63
Small and medium business 65
Introduction 70
Year in review 74
Appendix A: Methodology 79
Appendix B: VERIS mappings to MITRE ATT&CK® 83
Appendix C: VTRAC 20-year retrospective 84
Appendix D: Contributing organizations 85

Subject: Service Rents Email Addresses for Account Signups
Source: Krebs on Security

One of the most expensive aspects of any cybercriminal operation is the time and effort it takes to constantly create large numbers of new throwaway email accounts. Now a new service offers to help dramatically cut costs associated with large-scale spam and account creation campaigns, by paying people to sell their email account credentials and letting customers temporarily rent access to a vast pool of established accounts at major providers. The service in question — kopeechka[.]store — is perhaps best described as a kind of unidirectional email confirmation-as-a-service that promises to “save your time and money for successfully registering multiple accounts.”

“Are you working on large volumes and are costs constantly growing?” Kopeechka’s website asks. “Our service will solve all your problems.”

Subject: From “Heavy Purchasers” of Pregnancy Tests to the Depression-Prone: We Found 650,000 Ways Advertisers Label You
Source: The Markup

A spreadsheet on ad platform Xandr’s website revealed a massive collection of “audience segments” used to target consumers based on highly specific, sometimes intimate information and inferences.

What words would you use to describe yourself? You might say you’re a dog owner, a parent, that you like Taylor Swift, or that you’re into knitting. If you feel like sharing, you might say you have a sunny personality or that you follow a certain religion.If you spend any time online, you probably have some idea that the digital ad industry is constantly collecting data about you, including a lot of personal information, and sorting you into specialized categories so you’re more likely to buy the things they advertise to you. But in a rare look at just how deep—and weird—the rabbit hole of targeted advertising gets, The Markup has analyzed a database of 650,000 of these audience segments, newly unearthed on the website of Microsoft’s ad platform Xandr. The trove of data indicates that advertisers could also target people based on sensitive information like being “heavy purchasers” of pregnancy test kits, having an interest in brain tumors, being prone to depression, visiting places of worship, or feeling “easily deflated” or that they “get a raw deal out of life.”Many of the Xandr ad categories are more prosaic, classifying people as “Affluent Millennials,” for example, or as “Dunkin Donuts Visitors.” Industry critics have raised questions about the accuracy of this type of targeting. And the practice of slicing and dicing audiences for advertisers is an old one.

“I think it’s the largest piece of evidence I’ve ever seen that provides information about what I call today’s “distributed surveillance economy,” said Wolfie Christl, a privacy researcher at Cracked Labs, who discovered the file and shared it with The Markup

Subject: China targets AirDrop, Bluetooth in proposed rules to limit file sharing

June 9 (UPI) — The Chinese government moved to shut down the ability of protesters and anti-government forces to use networks like Bluetooth and AirDrop to plan and share messages with new proposed legislation.The proposal by the Cyberspace Administration of China would force “close-range mesh network services” to prevent what is deemed to be harmful and illegal information, keep files of such information, and report it to authorities.

Responding to government complaints, Apple had limited the use of AirDrop on its iPhones in China to allow users to only receive files from people who were not registered as contacts for 10 minutes at a time.

Subject: Instagram Connects Vast Pedophile Network
Source: WSJ

Instagram, the popular social-media site owned by Meta Platforms, helps connect and promote a vast network of accounts openly devoted to the commission and purchase of underage-sex content, according to investigations by The Wall Street Journal and researchers at Stanford University and the University of Massachusetts Amherst.

Pedophiles have long used the internet, but unlike the forums and file-transfer services that cater to people who have interest in illicit content, Instagram doesn’t merely host these activities. Its algorithms promote them. Instagram connects pedophiles and guides them to content sellers via recommendation systems that excel at linking those who share niche interests, the Journal and the academic researchers found.

Though out of sight for most on the platform, the sexualized accounts on Instagram are brazen about their interest. The researchers found that Instagram enabled people to search explicit hashtags such as #pedowhore and #preteensex and connected them to accounts that used the terms to advertise child-sex material for sale. Such accounts often claim to be run by the children themselves and use overtly sexual handles incorporating words such as “little slut for you.”

“That a team of three academics with limited access could find such a huge network should set off alarms at Meta,” he said, noting that the company has far more effective tools to map its pedophile network than outsiders do. “I hope the company reinvests in human investigators,” he added.

Subject: Top 5 Most Common Text Message Scams & How to Avoid Them
Source: Cord Cutters News

The Federal Trade Commission estimates text messaging scams cost consumers around $330 million last year, over double the amount in 2021. Random text messages from unknown numbers are significantly more likely to be opened than unsolicited emails, reaching numbers closing in on 98 percent. Opened emails are noted to be closer to 20 percent, for comparison.Text message scams affect individuals as well as businesses and the rate at which they’re being sent is deemed “alarming” by the Federal Trade Commission.

“Aside from the fact that your family and friends may be among the consumers who have reported median personal losses of $1,000, a lot of the messages take on a distinctly ‘office-y’ tone that may target your staff.”

This includes notifications for fake deliveries and job offers. A growing number of businesses are having their names stolen as a front for the scammer. Approximately 51 percent of reported text message fraud is faux messages appearing to be sent from real businesses but are instead under the control of scammers impersonating them.

Here are five of the most common types of text message scams…


Posted in: AI, Communications, Congress, Cybercrime, Cybersecurity, Email Security, Healthcare, KM, Legal Research, Privacy, Social Media