Pete Recommends – Weekly highlights on cyber security issues, October 21, 2023

Subject: Temporary moratorium on use of #FacialRecognition
Source: beSpacific Mastodon Newsie
via https://newsie.social/@bespacific/111230043681569938 see https://www.cpomagazine.com/data-privacy/state-of-new-york-makes-moratorium-on-facial-recognition-technology-in-schools-permanent/

Temporary moratorium on use of #FacialRecognition tech in state schools is now a matter of law in #NewYork, following the conclusion of study that found potential rights violations outweighed safety benefit. The ban is the result of temporary moratorium placed on facial recognition tech in the state’s K-12 schools issued in December 2020 by former governor Andrew Cuomo.

Subject: Temporary moratorium on use of #FacialRecognition
Source: beSpacific Mastodon Newsie
https://newsie.social/@bespacific/111230043681569938

Temporary moratorium on use of #FacialRecognition tech in state schools is now a matter of law in #NewYork, following the conclusion of study that found potential rights violations outweighed safety benefit. The ban is the result of temporary moratorium placed on facial recognition tech in the state’s K-12 schools issued in December 2020 by former governor Andrew Cuomo.

Subject: FDA Establishes New Advisory Committee on Digital Health Technologies
Source: FDA
https://www.fda.gov/news-events/press-announcements/fda-establishes-new-advisory-committee-digital-health-technologies

For Immediate Release:

Today, the U.S. Food and Drug Administration announced the creation of a new Digital Health Advisory Committee to help the agency explore the complex, scientific and technical issues related to digital health technologies (DHTs), such as artificial intelligence/machine learning (AI/ML), augmented reality, virtual reality, digital therapeutics, wearables, remote patient monitoring and software.

The Digital Health Advisory Committee will advise the FDA on issues related to DHTs, providing relevant expertise and perspective to help improve the agency’s understanding of the benefits, risks, and clinical outcomes associated with use of DHTs. The committee should be fully operational in 2024.

Digital health is a rapidly evolving, cross-cutting space that spans a wide range of technologies. In addition to the technologies mentioned above, it also includes issues such as decentralized trials, patient-generated health data and cybersecurity.

Related Information

Subscribe to Podcasts and News Feeds – https://www.fda.gov/about-fda/contact-fda/subscribe-podcasts-and-news-feeds


Subject: Uh-oh! Fine-tuning LLMs compromises their safety, study finds
Source: VentureBeat
https://venturebeat.com/ai/uh-oh-fine-tuning-llms-compromises-their-safety-study-finds/

As the rapid evolution of large language models (LLM) continues, businesses are increasingly interested in “fine-tuning” these models for bespoke applications — including to reduce bias and unwanted responses, such as those sharing harmful information. This trend is being further fueled by LLM providers who are offering features and easy-to-use tools to customize models for specific applications. However, a recent study by Princeton University, Virginia Tech, and IBM Research reveals a concerning downside to this practice. The researchers discovered that fine-tuning LLMs can inadvertently weaken the safety measures designed to prevent the models from generating harmful content, potentially undermining the very goals of fine-tuning the models in the first place.

Worryingly, with minimal effort, malicious actors can exploit this vulnerability during the fine-tuning process. Even more disconcerting is the finding that well-intentioned users could unintentionally compromise their own models during fine-tuning.

Category: https://venturebeat.com/category/ai/

RSS: https://venturebeat.com/category/ai/feed/


Subject: LinkedIn Phishing Scam Exploits Smart Links to Steal Microsoft Accounts
Source: HackRead
https://www.hackread.com/linkedin-phishing-scam-smart-links-microsoft/

KEY FINDINGS

  • A new LinkedIn phishing scam targets users to steal their Microsoft account login credentials.
  • Phishing actors are exploiting LinkedIn’s Smart Link feature to evade email security mechanisms and redirect users to phishing pages designed to steal financial data.
  • The Smart Links feature is part of LinkedIn Sales Navigator and Enterprise and allows users to send up to 15 documents with a single trackable link.
  • Phishing actors are interested in exploiting Smart Links to make their phishing emails seem legitimate and appear to be sent by a trusted source apart from bypassing email protections.
  • This campaign targets diverse industries, but the most prominent targets are the finance and manufacturing sectors.

If you use LinkedIn to connect with your colleagues or industry experts, then you should feel alert because, in the newly discovered phishing campaign, threat actors are abusing a legitimate feature of LinkedIn to send authentic-looking phishing emails.

According to a report from email security firm Cofense, the feature exploited in this campaign is Smart Links, part of the LinkedIn Sales Navigator and Enterprise service. Phishers are abusing it to steal payment data. They exploit Smart Links to bypass email protection mechanisms and deliver malicious lures into the email inboxes of Microsoft users.

Tagged:

RSS: https://www.hackread.com/feed/


Subject: How to Spot and Avoid Zelle Scams in 2023
Source: tech.co
https://tech.co/news/how-to-spot-zelle-scams

[from the Zelle Hell dept … ] As a digital payments app that allows users to send and receive money directly to their bank accounts, scammers love Zelle.

Zelle is a popular digital payment platform that allows direct access to user bank accounts, which means that it is, of course, a prime target for scammers online.

Unfortunately, Zelle represents a particularly attractive scam candidate, as there is little recourse for scammed individuals to get their money back. So what can you do to keep yourself safe? You can understand what kind of Zelle scams are out there, so you can spot them before it’s too late.

What Are Zelle Scams?

Zelle scams are simply scams that are perpetrated through the Zelle platform. For those that don’t know, Zelle is an online payment service that allows users to send and receive money directly to their bank accounts. Unlike platforms like Venmo and CashApp, Zelle doesn’t have an in-app wallet, but instead facilitates transfers directly into and out of bank accounts for faster payments.

While this feature is understandably quite convenient, it does lend itself to abuse from scammers. Because the funds go immediately into, or in the case of scams out of, you’re bank account, there’s little recourse for getting it back when fraudulent situations arise.

Here are some of the most common Zelle scams to look out:

Category: https://tech.co/tag/privacy-security

RSS: https://tech.co/tag/privacy-security/feed/


Subject: How Ads on Your Phone Can Aid Government Surveillance
Source: WJS via MSN
https://www.bespacific.com/how-ads-on-your-phone-can-aid-government-surveillance/
WSJ via MSN – “Technology embedded in our phones and computers to serve up ads can also end up serving government surveillance. Information from mobile-phone apps and advertising networks paints a richly detailed portrait of the online activities of billions of devices. The logs and technical information generate valuable cybersecurity data that governments around the world are eager to obtain. When combined with classified data in government hands, it can yield an even more detailed picture of an individual’s behaviors both online and in the real world. A recent U.S. intelligence-community report said the data collected by consumer technologies expose sensitive information on everyone “in a way that far fewer Americans seem to understand, and even fewer of them can avoid.” The Wall Street Journal identified a network of brokers and advertising exchanges whose data was flowing from apps to Defense Department and intelligence agencies through a company called Near Intelligence. This graphic puts those specific examples in the context of how such commercially available information—bought, sold or captured by dozens of entities—can end up in the hands of intermediaries with ties to governments…

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.


Subject: New CISA and NSA Identity and Access Management Guidance Puts Vendors on Notice
Source: TechRepublic
https://www.techrepublic.com/article/new-nsa-cisa-iam-guidance/

This CISA-NSA guidance reveals concerning gaps and deficits in the multifactor authentication and Single Sign-On industry and calls for vendors to make investments and take additional steps.The National Security Agency and the Cybersecurity and Infrastructure Security Agency published on October 4, 2023, a document titled Identity and Access Management: Developer and Vendor Challenges. This new IAM CISA-NSA guidance focuses on the challenges and tech gaps that are limiting the adoption and secure employment of multifactor authentication and Single Sign-On technologies within organizations.

The document was authored by a panel of public-private cross-sector partnerships working under the CISA-NSA-led Enduring Security Framework. The ESF is tasked with investigating critical infrastructure risks and national security systems. The guidance builds on their previous report, Identity and Access Management Recommended Best Practices Guide for Administrators.

Also See

Topics:

Sample RSS feed: https://www.techrepublic.com/rssfeeds/topic/security/


“Over the last two decades, a segment of the educational technology (EdTech) sector that markets student surveillance products to schools — the EdTech Surveillance industry — has grown into a $3.1 billion a year economic juggernaut with a projected 8% annual growth rate. The EdTech Surveillance industry accomplished that feat by playing on school districts’ fears of school shootings, student self-harm and suicides, and bullying — marketing them as common, ever-present threats. Capitalizing on its significant financial resources and political influence, the EdTech Surveillance industry has succeeded in shaping and controlling the narrative around its products. … As a result, from student communications monitoring to facial recognition technology, school districts are rapidly deploying a huge array of surveillance technologies to spy on their students in the name of “safety.” While buying these EdTech Surveillance products may make school districts feel safer, the reality is …

Table of Contents

Acknowledgements……………………………………………………………………………………………………………………3
Executive Summary…………………………………………………………………………………………………………………..4
Introduction………………………………………………………………………………………………………………………………..8
The EdTech Surveillance Industry’s Deceptive Marketing Practices………………………….11
Surveillance Technology in Schools Is Hurting Kids, Not Helping Them…………………..20
Efforts to Push Back Against Student Surveillance…………………………………………………………31
Recommendations and Conclusions: How To Protect Students and Promote
Better Student Surveillance Technology Decision-Making…………………………………………..39
Methods…………………………………………………………………………………………………………………………………….43
Appendix 1: Ed Tech Surveillance: 10 Leading Products………………………………………………46
Appendix 2. Model Legislation: Student Surveillance Technology Acquisition
Standards Act…………………………………………………………………………………………………………………………..52
Endnotes………………………………………………………………………………………………………………55

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.


Subject: Anticipating the benefits of a passwordless tomorrow
Source: Help Net Security
https://www.helpnetsecurity.com/2023/10/17/passwordless-technology-move/

Moving to passwordless technology

  • Businesses are ready to embrace a passwordless future, with 92% having a plan to move to passwordless technology and 95% currently using a passwordless experience at their organization.
  • Businesses believe passkeys will help make them more secure: 92% believe passkeys will benefit their overall security posture, and 93% agree that passkeys will eventually help reduce the volume of unofficial (i.e., “Shadow IT”) applications.
  • However, many recognize that work still needs to be done: A majority of businesses surveyed are still using phishable authentication methods, such as passwords (76%) and multi-factor authentication (MFA) (43%) when it comes to authenticating users within their organization.
  • The majority recognize that this transition will take time and education: 55% of IT leaders surveyed feel they need more education on how passwordless technology works and/or how to deploy it, and 28% cited concerns that users may be resistant to change or using a new technology.
  • When making this transition, businesses made it clear they want to choose where they store passkeys, with 69% of IT leaders anticipating storing them in a third-party password manager.

Tagged

See also: https://www.helpnetsecurity.com/2022/11/09/2fa-3fa-mfa-video/


Subject: Why disaffected employees are your greatest cybersecurity risk
Source: Federal News Network
https://federalnewsnetwork.com/cybersecurity/2023/10/why-disaffected-employees-are-your-greatest-cybersecurity-risk/


Insider cybersecurity threats are just as potent as Russian and Chinese hackers. Some employees make mistakes, clicking on that bad phishing link. Unhappy or disgruntled employees, that’s another matter. Federal Drive with Tom Temin – talk with someone who says such people are far more susceptible than average to social-engineering attacks. Tom’s guest was Max Shier, Chief Information Security Officer at Optiv.



Filed:
https://federalnewsnetwork.com/category/technology-main/cybersecurity/

RSS:
https://federalnewsnetwork.com/category/technology-main/cybersecurity/feed/


Subject: The Fake Browser Update Scam Gets a Makeover
Source: Krebs on Security
https://krebsonsecurity.com/2023/10/the-fake-browser-update-scam-gets-a-makeover/

One of the oldest malware tricks in the book — hacked websites claiming visitors need to update their Web browser before they can view any content — has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.

Earlier this month, researchers at the Tel Aviv-based security firm Guardio Labs said they tracked an updated version of the ClearFake scam that included an important evolution. Previously, the group had stored its malicious update files on Cloudflare, Guard.io said.

But when Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and “smart contracts,” or coded agreements that execute actions automatically when certain conditions are met.

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.

“Fake browser update lures are effective because threat actors are using an end-user’s security training against them,” Proofpoint’s Dusty Miller wrote. “In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.”

Site RSS feed: https://krebsonsecurity.com/feed/


Subject: Google Rolls Out New Accessibility Features to Make Tasks Easy
Source: Gizmodo
https://gizmodo.com/google-rolls-out-new-accessibility-features-1850934881

New features in Maps, Search and Chrome are aimed at helping users with disabilities navigate their devices more easily.Google announced Tuesday a slew of new ways to help those with a wide range of disabilities use its products.

The company added a new business attribute icon to its Maps and Search products allowing businesses to self-identify as disabled-owned. The icon adds to Google’s growing list of business attributes, including Black-owned, Asian-owned and LGBTQ+ frienly.

Google also released Magnifier, a camera-based app designed to use the Pixel’s camera like a magnifying glass, allowing users to zoom in and add color filters. The app was designed alongside the Royal National Institute of Blind People and the National Federation of the Blind, and it’s helpful for low-vision people to see small details in the world around them. The filters can enhance the contrast, brightness and color of small text and other subtleties that people with low vision may struggle with. The feature will be available on the Pixel 5 and up, excluding the Pixel Fold.

Some other Google Accessibility articles: https://blog.google/outreach-initiatives/accessibility/


Subject: Login.gov to add facial recognition tech
Source: Nextgov/FCW
https://www.nextgov.com/digital-government/2023/10/logingov-add-facial-recognition-tech/391300/

The General Services Administration is changing its digital identity service to allow users to authenticate themselves by matching against a previously submitted government ID. The General Services Administration will add facial recognition technology to Login.gov, a single sign-on service for Americans to get government benefits and services online, the agency announced Wednesday.

The agency said in its Wednesday announcement it will be rolling out the technology next year. GSA says it will also add another new digital identity verification option for those who don’t want to use facial recognition technology. This method is still to be determined but it could involve real-time identity verification via live video chat or other platform.

Both the facial recognition and video chat options are part of GSA’s push to bring the service in line with government digital identity standards established by the National Institute of Standards and Technology. GSA’s Inspector General lambasted officials for misleading other federal agencies using the service about its level of compliance in a report earlier this year. Using facial recognition technology is the easiest way to meet those standards online.

Login.gov’s in-person option offered at U.S. Postal Service locations is the third way to meet NIST standards for identity proofing, called identity assurance level two. In online situations, Login.gov currently uses data checks of government ID’s and phone numbers or addresses to verify people’s identities, relying at least in part on data vendor LexisNexis.

A major question the agency says it’s studying — one that is of urgent interest to advocates opposed to facial recognition technology as well — is whether or not facial recognition systems have bias in terms of skin tone and demographics.

RSS feed: https://www.nextgov.com/rss/digital-government/


Subject: Covid Relief Payments Triggered Feds to Demand Money Back From Social Security Recipients
Source: KFF Health News
https://kffhealthnews.org/news/article/social-security-overpayments-congress-hearing/

[from the “AI will fix all of this” dept. ]

Vaughn and other recipients didn’t ask for the covid money. The checks, known as economic impact or stimulus payments, landed automatically in their mailboxes or bank accounts in three installments in 2020 and 2021. The payments, which were based on the recipient’s income, totaled as much as $3,200 per person.

The payments pushed some beneficiaries’ bank balances above the $2,000 asset limit for individuals on Supplemental Security Income (SSI), a program for people with little or no income or assets who are blind, disabled, or 65 or over. The limit, which hasn’t been adjusted for inflation in decades, can discourage people from working or saving more than a perilously small amount of money.

In some cases, when the Social Security Administration belatedly noticed the higher bank balances, it concluded the beneficiaries no longer qualified for SSI, according to people affected. Then the agency set out to recapture years of SSI benefits it alleged they shouldn’t have received.

Even as recipients appealed the actions, the agency stopped sending monthly benefit checks.

Actions Defy Agency’s Own Policy

The covid stimulus payments aren’t supposed to trigger Social Security clawbacks. Early in the pandemic, the Social Security Administration said that, when assessing people’s eligibility for SSI, it would exclude the payments for 12 months. Later, it said it would exclude them indefinitely. But what the agency says and what it does — indeed, what it is capable of doing — are often very different, people who study the agency said.

Related Topics:


Subject: Google-hosted malvertising leads to fake Keepass site that looks genuine
Source: Ars Technica
https://arstechnica.com/security/2023/10/google-hosted-malvertising-leads-to-fake-keepass-site-that-looks-genuine/

Google-verified advertiser + legit-looking URL + valid TLS cert = convincing look-alike.Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.

Looking at the ad, which masquerades as a pitch for the open source password manager Keepass, there’s no way to know that it’s fake. It’s on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to ķeepass[.]info, which, when viewed in an address bar, appears to be the genuine Keepass site.

“Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes, wrote in a post Wednesday that revealed the scam.

Information available through Google’s Ad Transparency Center shows that the ads have been running since Saturday and last appeared on Wednesday. The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google.

The sleight of hand that allowed the imposter site xn--eepass-vbb[.]info to appear as ķeepass[.]info is an encoding scheme known as punycode. It allows unicode characters to be represented in standard ASCII text. Looking carefully, it’s easy to spot the small comma-like figure immediately below the k. When it appears in an address bar, the figure is equally easy to miss, especially when the URL is backed by a valid TLS certificate, as is the case here.


Subject: Colorado Court Punts on Reverse Keyword Search Warrants
Source: Gizmodo
https://gizmodo.com/reverse-keyword-search-warrants-explainer-colorado-1850945867

Colorado’s Supreme Court this week had the opportunity to hand down a historic judgment on the constitutionality of “reverse keyword search warrants,” a powerful new surveillance technique that grants law enforcement the ability to identify potential criminal suspects based on broad, far-reaching internet search results. Police say the creative warrants have helped them crack otherwise cold cases. Critics, which include more than a dozen rights organizations and major tech companies, argue the tool’s immense scope tramples on innocent users’ privacy and runs afoul of Fourth Amendment Protections against unreasonable searches by the government.

Critics fear these broad warrants, which compel Google and other tech companies to sift through its vast cornucopia of search data to sniff out users who’ve searched for specific keywords, could be weaponized against abortion seekers, political protestors, or even everyday internet users who inadvertently type a result that could someday be used against them in court.


Subject: FDA Establishes New Advisory Committee on Digital Health Technologies
Source: FDA
https://www.fda.gov/news-events/press-announcements/fda-establishes-new-advisory-committee-digital-health-technologies

For Immediate Release:

Today, the U.S. Food and Drug Administration announced the creation of a new Digital Health Advisory Committee to help the agency explore the complex, scientific and technical issues related to digital health technologies (DHTs), such as artificial intelligence/machine learning (AI/ML), augmented reality, virtual reality, digital therapeutics, wearables, remote patient monitoring and software.

The Digital Health Advisory Committee will advise the FDA on issues related to DHTs, providing relevant expertise and perspective to help improve the agency’s understanding of the benefits, risks, and clinical outcomes associated with use of DHTs. The committee should be fully operational in 2024.

Digital health is a rapidly evolving, cross-cutting space that spans a wide range of technologies. In addition to the technologies mentioned above, it also includes issues such as decentralized trials, patient-generated health data and cybersecurity.

Related Information

Subscribe to Podcasts and News Feeds – https://www.fda.gov/about-fda/contact-fda/subscribe-podcasts-and-news-feeds


Subject: Uh-oh! Fine-tuning LLMs compromises their safety, study finds
Source: VentureBeat
https://venturebeat.com/ai/uh-oh-fine-tuning-llms-compromises-their-safety-study-finds/

As the rapid evolution of large language models (LLM) continues, businesses are increasingly interested in “fine-tuning” these models for bespoke applications — including to reduce bias and unwanted responses, such as those sharing harmful information. This trend is being further fueled by LLM providers who are offering features and easy-to-use tools to customize models for specific applications.However, a recent study by Princeton University, Virginia Tech, and IBM Research reveals a concerning downside to this practice. The researchers discovered that fine-tuning LLMs can inadvertently weaken the safety measures designed to prevent the models from generating harmful content, potentially undermining the very goals of fine-tuning the models in the first place.

Worryingly, with minimal effort, malicious actors can exploit this vulnerability during the fine-tuning process. Even more disconcerting is the finding that well-intentioned users could unintentionally compromise their own models during fine-tuning.


Subject: LinkedIn Phishing Scam Exploits Smart Links to Steal Microsoft Accounts
Source: HackRead
https://www.hackread.com/linkedin-phishing-scam-smart-links-microsoft/KEY FINDINGS

  • A new LinkedIn phishing scam targets users to steal their Microsoft account login credentials.
  • Phishing actors are exploiting LinkedIn’s Smart Link feature to evade email security mechanisms and redirect users to phishing pages designed to steal financial data.
  • The Smart Links feature is part of LinkedIn Sales Navigator and Enterprise and allows users to send up to 15 documents with a single trackable link.
  • Phishing actors are interested in exploiting Smart Links to make their phishing emails seem legitimate and appear to be sent by a trusted source apart from bypassing email protections.
  • This campaign targets diverse industries, but the most prominent targets are the finance and manufacturing sectors.

If you use LinkedIn to connect with your colleagues or industry experts, then you should feel alert because, in the newly discovered phishing campaign, threat actors are abusing a legitimate feature of LinkedIn to send authentic-looking phishing emails.

According to a report from email security firm Cofense, the feature exploited in this campaign is Smart Links, part of the LinkedIn Sales Navigator and Enterprise service. Phishers are abusing it to steal payment data. They exploit Smart Links to bypass email protection mechanisms and deliver malicious lures into the email inboxes of Microsoft users. Cofense

Tagged:

RSS: https://www.hackread.com/feed/


Subject: How to Spot and Avoid Zelle Scams in 2023
Source: tech.co
https://tech.co/news/how-to-spot-zelle-scams

[from the Zelle Hell dept … ] As a digital payments app that allows users to send and receive money directly to their bank accounts, scammers love Zelle.

Zelle is a popular digital payment platform that allows direct access to user bank accounts, which means that it is, of course, a prime target for scammers online.

Unfortunately, Zelle represents a particularly attractive scam candidate, as there is little recourse for scammed individuals to get their money back. So what can you do to keep yourself safe? You can understand what kind of Zelle scams are out there, so you can spot them before it’s too late.

What Are Zelle Scams?

Zelle scams are simply scams that are perpetrated through the Zelle platform. For those that don’t know, Zelle is an online payment service that allows users to send and receive money directly to their bank accounts. Unlike platforms like Venmo and CashApp, Zelle doesn’t have an in-app wallet, but instead facilitates transfers directly into and out of bank accounts for faster payments.

While this feature is understandably quite convenient, it does lend itself to abuse from scammers. Because the funds go immediately into, or in the case of scams out of, you’re bank account, there’s little recourse for getting it back when fraudulent situations arise.

Here are some of the most common Zelle scams to look out:

Category: https://tech.co/tag/privacy-security

RSS: https://tech.co/tag/privacy-security/feed/


Subject: How Ads on Your Phone Can Aid Government Surveillance
Source: WJS via MSN
https://www.bespacific.com/how-ads-on-your-phone-can-aid-government-surveillance/

WSJ via MSN – “Technology embedded in our phones and computers to serve up ads can also end up serving government surveillance. Information from mobile-phone apps and advertising networks paints a richly detailed portrait of the online activities of billions of devices. The logs and technical information generate valuable cybersecurity data that governments around the world are eager to obtain. When combined with classified data in government hands, it can yield an even more detailed picture of an individual’s behaviors both online and in the real world. A recent U.S. intelligence-community report said the data collected by consumer technologies expose sensitive information on everyone “in a way that far fewer Americans seem to understand, and even fewer of them can avoid.” The Wall Street Journal identified a network of brokers and advertising exchanges whose data was flowing from apps to Defense Department and intelligence agencies through a company called Near Intelligence. This graphic puts those specific examples in the context of how such commercially available information—bought, sold or captured by dozens of entities—can end up in the hands of intermediaries with ties to governments…

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.


Subject: New CISA and NSA Identity and Access Management Guidance Puts Vendors on Notice
Source: TechRepublic
https://www.techrepublic.com/article/new-nsa-cisa-iam-guidance/

This CISA-NSA guidance reveals concerning gaps and deficits in the multifactor authentication and Single Sign-On industry and calls for vendors to make investments and take additional steps.The National Security Agency and the Cybersecurity and Infrastructure Security Agency published on October 4, 2023, a document titled Identity and Access Management: Developer and Vendor Challenges. This new IAM CISA-NSA guidance focuses on the challenges and tech gaps that are limiting the adoption and secure employment of multifactor authentication and Single Sign-On technologies within organizations.

The document was authored by a panel of public-private cross-sector partnerships working under the CISA-NSA-led Enduring Security Framework. The ESF is tasked with investigating critical infrastructure risks and national security systems. The guidance builds on their previous report, Identity and Access Management Recommended Best Practices Guide for Administrators.

See Also

Topics:

Sample RSS feed: https://www.techrepublic.com/rssfeeds/topic/security/


“Over the last two decades, a segment of the educational technology (EdTech) sector that markets student surveillance products to schools — the EdTech Surveillance industry — has grown into a $3.1 billion a year economic juggernaut with a projected 8% annual growth rate. The EdTech Surveillance industry accomplished that feat by playing on school districts’ fears of school shootings, student self-harm and suicides, and bullying — marketing them as common, ever-present threats. Capitalizing on its significant financial resources and political influence, the EdTech Surveillance industry has succeeded in shaping and controlling the narrative around its products. … As a result, from student communications monitoring to facial recognition technology, school districts are rapidly deploying a huge array of surveillance technologies to spy on their students in the name of “safety.” While buying these EdTech Surveillance products may make school districts feel safer, the reality is …
Table of Contents
Acknowledgements……………………………………………………………………………………………………………………3
Executive Summary…………………………………………………………………………………………………………………..4
Introduction………………………………………………………………………………………………………………………………..8
The EdTech Surveillance Industry’s Deceptive Marketing Practices………………………….11
Surveillance Technology in Schools Is Hurting Kids, Not Helping Them…………………..20
Efforts to Push Back Against Student Surveillance…………………………………………………………31
Recommendations and Conclusions: How To Protect Students and Promote
Better Student Surveillance Technology Decision-Making…………………………………………..39
Methods…………………………………………………………………………………………………………………………………….43
Appendix 1: Ed Tech Surveillance: 10 Leading Products………………………………………………46
Appendix 2. Model Legislation: Student Surveillance Technology Acquisition
Standards Act…………………………………………………………………………………………………………………………..52
Endnotes………………………………………………………………………………………………………………55



Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: Anticipating the benefits of a passwordless tomorrow
Source: Help Net Security
https://www.helpnetsecurity.com/2023/10/17/passwordless-technology-move/

Moving to passwordless technology

  • Businesses are ready to embrace a passwordless future, with 92% having a plan to move to passwordless technology and 95% currently using a passwordless experience at their organization.
  • Businesses believe passkeys will help make them more secure: 92% believe passkeys will benefit their overall security posture, and 93% agree that passkeys will eventually help reduce the volume of unofficial (i.e., “Shadow IT”) applications.
  • However, many recognize that work still needs to be done: A majority of businesses surveyed are still using phishable authentication methods, such as passwords (76%) and multi-factor authentication (MFA) (43%) when it comes to authenticating users within their organization.
  • The majority recognize that this transition will take time and education: 55% of IT leaders surveyed feel they need more education on how passwordless technology works and/or how to deploy it, and 28% cited concerns that users may be resistant to change or using a new technology.
  • When making this transition, businesses made it clear they want to choose where they store passkeys, with 69% of IT leaders anticipating storing them in a third-party password manager.

Tagged

See also: https://www.helpnetsecurity.com/2022/11/09/2fa-3fa-mfa-video/


Subject: Why disaffected employees are your greatest cybersecurity risk
Source: Federal News Network
https://federalnewsnetwork.com/cybersecurity/2023/10/why-disaffected-employees-are-your-greatest-cybersecurity-risk/


Insider cybersecurity threats are just as potent as Russian and Chinese hackers. Some employees make mistakes, clicking on that bad phishing link. Unhappy or disgruntled employees, that’s another matter. Federal Drive with Tom Temin talk with someone who says such people are far more susceptible than average to social-engineering attacks. Tom’s guest was Max Shier, Chief Information Security Officer at Optiv.



Filed:
https://federalnewsnetwork.com/category/technology-main/cybersecurity/

RSS:
https://federalnewsnetwork.com/category/technology-main/cybersecurity/feed/


Subject: The Fake Browser Update Scam Gets a Makeover
Source: Krebs on Security
https://krebsonsecurity.com/2023/10/the-fake-browser-update-scam-gets-a-makeover/

One of the oldest malware tricks in the book — hacked websites claiming visitors need to update their Web browser before they can view any content — has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.

Earlier this month, researchers at the Tel Aviv-based security firm Guardio Labs said they tracked an updated version of the ClearFake scam that included an important evolution. Previously, the group had stored its malicious update files on Cloudflare, Guard.io said.

But when Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and “smart contracts,” or coded agreements that execute actions automatically when certain conditions are met.

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.

“Fake browser update lures are effective because threat actors are using an end-user’s security training against them,” Proofpoint’s Dusty Miller wrote. “In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.”

Site RSS feed:
https://krebsonsecurity.com/feed/


Subject: Google Rolls Out New Accessibility Features to Make Tasks Easy
Source: Gizmodo
https://gizmodo.com/google-rolls-out-new-accessibility-features-1850934881

New features in Maps, Search and Chrome are aimed at helping users with disabilities navigate their devices more easily.Google announced Tuesday a slew of new ways to help those with a wide range of disabilities use its products.

The company added a new business attribute icon to its Maps and Search products allowing businesses to self-identify as disabled-owned. The icon adds to Google’s growing list of business attributes, including Black-owned, Asian-owned and LGBTQ+ frienly.

Google also released Magnifier, a camera-based app designed to use the Pixel’s camera like a magnifying glass, allowing users to zoom in and add color filters. The app was designed alongside the Royal National Institute of Blind People and the National Federation of the Blind, and it’s helpful for low-vision people to see small details in the world around them. The filters can enhance the contrast, brightness and color of small text and other subtleties that people with low vision may struggle with. The feature will be available on the Pixel 5 and up, excluding the Pixel Fold.

Some other Google Accessibility articles: https://blog.google/outreach-initiatives/accessibility/


Subject: Login.gov to add facial recognition tech
Source: Nextgov/FCW
https://www.nextgov.com/digital-government/2023/10/logingov-add-facial-recognition-tech/391300/

The General Services Administration is changing its digital identity service to allow users to authenticate themselves by matching against a previously submitted government ID.The General Services Administration will add facial recognition technology to Login.gov, a single sign-on service for Americans to get government benefits and services online, the agency announced Wednesday.

The agency said in its Wednesday announcement it will be rolling out the technology next year. GSA says it will also add another new digital identity verification option for those who don’t want to use facial recognition technology. This method is still to be determined but it could involve real-time identity verification via live video chat or other platform.

Both the facial recognition and video chat options are part of GSA’s push to bring the service in line with government digital identity standards established by the National Institute of Standards and Technology. GSA’s Inspector General lambasted officials for misleading other federal agencies using the service about its level of compliance in a report earlier this year. Using facial recognition technology is the easiest way to meet those standards online.

Login.gov’s in-person option offered at U.S. Postal Service locations is the third way to meet NIST standards for identity proofing, called identity assurance level two. In online situations, Login.gov currently uses data checks of government ID’s and phone numbers or addresses to verify people’s identities, relying at least in part on data vendor LexisNexis.

A major question the agency says it’s studying — one that is of urgent interest to advocates opposed to facial recognition technology as well — is whether or not facial recognition systems have bias in terms of skin tone and demographics.

RSS feed: https://www.nextgov.com/rss/digital-government/


Subject: Covid Relief Payments Triggered Feds to Demand Money Back From Social Security Recipients
Source: KFF Health News
https://kffhealthnews.org/news/article/social-security-overpayments-congress-hearing/

[from the “AI will fix all of this” dept. ]

Vaughn and other recipients didn’t ask for the covid money. The checks, known as economic impact or stimulus payments, landed automatically in their mailboxes or bank accounts in three installments in 2020 and 2021. The payments, which were based on the recipient’s income, totaled as much as $3,200 per person.

The payments pushed some beneficiaries’ bank balances above the $2,000 asset limit for individuals on Supplemental Security Income (SSI), a program for people with little or no income or assets who are blind, disabled, or 65 or over. The limit, which hasn’t been adjusted for inflation in decades, can discourage people from working or saving more than a perilously small amount of money.

In some cases, when the Social Security Administration belatedly noticed the higher bank balances, it concluded the beneficiaries no longer qualified for SSI, according to people affected. Then the agency set out to recapture years of SSI benefits it alleged they shouldn’t have received.

Even as recipients appealed the actions, the agency stopped sending monthly benefit checks.

Actions Defy Agency’s Own Policy

The covid stimulus payments aren’t supposed to trigger Social Security clawbacks. Early in the pandemic, the Social Security Administration said that, when assessing people’s eligibility for SSI, it would exclude the payments for 12 months. Later, it said it would exclude them indefinitely. But what the agency says and what it does — indeed, what it is capable of doing — are often very different, people who study the agency said.

Related Topics


Subject: Google-hosted malvertising leads to fake Keepass site that looks genuine
Source: Ars Technica
https://arstechnica.com/security/2023/10/google-hosted-malvertising-leads-to-fake-keepass-site-that-looks-genuine/

Google-verified advertiser + legit-looking URL + valid TLS cert = convincing look-alike.Google has been caught hosting a malicious ad so convincing that there’s a decent chance it has managed to trick some of the more security-savvy users who encountered it.

Looking at the ad, which masquerades as a pitch for the open source password manager Keepass, there’s no way to know that it’s fake. It’s on Google, after all, which claims to vet the ads it carries. Making the ruse all the more convincing, clicking on it leads to ķeepass[.]info, which, when viewed in an address bar, appears to be the genuine Keepass site.

“Users are first deceived via the Google ad that looks entirely legitimate and then again via a lookalike domain,” Jérôme Segura, head of threat intelligence at security provider Malwarebytes, wrote in a post Wednesday that revealed the scam.

Information available through Google’s Ad Transparency Center shows that the ads have been running since Saturday and last appeared on Wednesday. The ads were paid for by an outfit called Digital Eagle, which the transparency page says is an advertiser whose identity has been verified by Google.

The sleight of hand that allowed the imposter site xn--eepass-vbb[.]info to appear as ķeepass[.]info is an encoding scheme known as punycode. It allows unicode characters to be represented in standard ASCII text. Looking carefully, it’s easy to spot the small comma-like figure immediately below the k. When it appears in an address bar, the figure is equally easy to miss, especially when the URL is backed by a valid TLS certificate, as is the case here.


Subject: Colorado Court Punts on Reverse Keyword Search Warrants
Source: Gizmodo
https://gizmodo.com/reverse-keyword-search-warrants-explainer-colorado-1850945867

Colorado’s Supreme Court this week had the opportunity to hand down a historic judgment on the constitutionality of “reverse keyword search warrants,” a powerful new surveillance technique that grants law enforcement the ability to identify potential criminal suspects based on broad, far-reaching internet search results. Police say the creative warrants have helped them crack otherwise cold cases. Critics, which include more than a dozen rights organizations and major tech companies, argue the tool’s immense scope tramples on innocent users’ privacy and runs afoul of Fourth Amendment Protections against unreasonable searches by the government.

Critics fear these broad warrants, which compel Google and other tech companies to sift through its vast cornucopia of search data to sniff out users who’ve searched for specific keywords, could be weaponized against abortion seekers, political protestors, or even everyday internet users who inadvertently type a result that could someday be used against them in court.

Posted in: AI, Civil Liberties, Cybercrime, Cybersecurity, Education, Government Resources, Privacy, Technology Trends