Subject: ICE’s ‘outdated and overly permissive’ device policy left the agency vulnerable, watchdog warns
Source: Nextgov/FCW
https://www.nextgov.com/cybersecurity/2023/11/ices-outdated-and-overly-permissive-device-policy-left-agency-vulnerable-watchdog-warns/391771/
Personnel and contractors at U.S. Immigration and Customs Enforcement kept apps on their mobile devices that threatened security at the agency, including apps from companies banned on government systems and others associated with American adversaries, third-party virtual private networks and outdated messaging applications, according to an audit conducted by the Department of Homeland Security’s Inspector General this spring.Device management issues at the agency make it more vulnerable to “potential espionage, leaks and attacks from viruses,” the new oversight report reads.
Now, ICE is updating its personal use policies for agency-issued mobile devices, blocking mobile apps from companies prohibited by the government, patching or removing vulnerable messaging apps and more, according to the report.
The watchdog cited “ICE’s outdated and overly permissive personal use policy, which enables nearly unlimited personal use of ICE-issued mobile devices” as the reason for the problems.
ICE also didn’t do enough to manage or monitor user-installed apps, the report states, and the watchdog found that the controls associated with user-installed apps at ICE — including secure software containers, mobile threat defense software and mobile device management tech designed to enforce security policies — weren’t sufficient.
Although some details are redacted from the report, such as how many devices and how many apps were involved, the report does state that some mobile devices housed apps banned from government systems because of spying and national security risks.
Over the summer, ICE blocked VPN apps and those from banned or known to be nefarious companies, according to the report. It also directed employees to remove non-mission-related apps from their devices, and has been conducting forensics on known devices with banned apps. It hasn’t found evidence of “nefarious activity,” the report states.
…
Filed: https://www.nextgov.com/cybersecurity/
Source: Route Fifty
https://www.route-fifty.com/infrastructure/2023/11/public-power-ballot-maine-will-voters-take-leap-faith/391763/
Personnel and contractors at U.S. Immigration and Customs Enforcement kept apps on their mobile devices that threatened security at the agency, including apps from companies banned on government systems and others associated with American adversaries, third-party virtual private networks and outdated messaging applications, according to an audit conducted by the Department of Homeland Security’s Inspector General this spring.Device management issues at the agency make it more vulnerable to “potential espionage, leaks and attacks from viruses,” the new oversight report reads.
Now, ICE is updating its personal use policies for agency-issued mobile devices, blocking mobile apps from companies prohibited by the government, patching or removing vulnerable messaging apps and more, according to the report.
The watchdog cited “ICE’s outdated and overly permissive personal use policy, which enables nearly unlimited personal use of ICE-issued mobile devices” as the reason for the problems.
ICE also didn’t do enough to manage or monitor user-installed apps, the report states, and the watchdog found that the controls associated with user-installed apps at ICE — including secure software containers, mobile threat defense software and mobile device management tech designed to enforce security policies — weren’t sufficient.
Although some details are redacted from the report, such as how many devices and how many apps were involved, the report does state that some mobile devices housed apps banned from government systems because of spying and national security risks.
Source: CNN Business
https://www.cnn.com/2023/11/03/investing/bank-deposit-outage/index.html
New York CNN — Multiple US banks were hit by deposit delays on Friday caused by an error at a payment processing network, according to the Federal Reserve.
Banks stressed that customer deposits remain safe, and the bug was introduced by human error and not a malicious attack. Although the rare deposit delay affected deposits at a large number of banks, it appeared that other banking systems were functioning normally.
Bank of America alerted customers that their deposits may be delayed due to a problem impacting multiple banks. A Chase spokesperson confirmed to CNN that some of its customers’ direct deposits haven’t updated.
…
The Federal Reserve alerted banks Friday afternoon the problem was caused by a “processing issue” at the private sector operator of the Automated Clearing House (ACH), a national network for processing transactions.
…
The Clearing House, the private sector operator of ACH, confirmed to CNN that it “experienced a processing issue” with a batch of bank transactions. Greg MacSweeney, a spokesperson for The Clearing House, said the problem was caused by a “manual error” and is not linked to a cybersecurity issue.
[where is TOO BIG TO FAIL when you need it? /pmw1]
There was no update on when the problem will be resolved.
Source: Gizmodo
https://gizmodo.com/data-brokers-sell-info-on-military-personnel-cheap-1850991378
Want to buy invasive personal details about an active-duty service member who works on a specific military base? You better have $0.12, because according to a new study that’s all it costs. The good news is the unregulated data brokers who sell that information probably won’t ask you any pesky questions about your plans….
The researchers approached 12 data brokers about buying the data and were able to purchase sweeping records on tens of thousands of military service members for $0.12 to $0.32 per person. (The study doesn’t include the names of data brokers to avoid potential legal liability.) The data included names, home addresses, emails, political affiliations, genders, ages, religions, incomes, net worths, credit ratings, occupations, health information, religious affiliations, marital status, and the presence of children in the home.
Source: gHacks Tech News
https://ghacks.net/2023/11/06/apple-find-my-network-keylogger-attacks/
Apple’s “Find My” network is a powerful tool that can help users locate their lost or stolen devices. It works by using a combination of GPS and Bluetooth signals from other Apple devices to pinpoint the location of a missing device.When a user enables “Find My” on their device, it starts sending out Bluetooth signals in a constant loop. These signals are detected by other Apple devices within range, which then anonymously relay their location to the owner through the “Find My” network.
This process is very efficient, and it allows users to locate their lost or stolen devices even if they are offline. However, it also introduces a potential security risk.
Find My network’s abuse – Researchers at Positive Security recently discovered that the “Find My” network can be abused by malicious actors to exfiltrate keylogged passwords. They created a proof-of-concept hardware device that demonstrated how this attack can be carried out.
Source: EFF
https://www.bespacific.com/how-goguardian-invades-student-privacy/
EFF: “GoGuardian is a student monitoring tool that watches over twenty-seven million students across ten thousand schools, but what it does exactly, and how well it works, isn’t easy for students to know. To learn more about its functionality, accuracy, and impact on students, we filed dozens of public records requests and analyzed tens of thousands of results from the software. Using data from multiple schools in both red and blue states, what we uncovered was that, by design, GoGuardian is a red flag machine—its false positives heavily outweigh its ability to accurately determine whether the content of a site is harmful. This results …
—
Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.
EFF Mastodon RSS feed: https://mastodon.social/@eff.rss
Related Issues – Student Privacy
Source: Cord Cutters News
https://cordcuttersnews.com/cybercriminals-are-using-siri-and-google-voice-assistants-to-scam-people/
Scammers are preying on people who use voice assistant technology apps like Siri, Google Assistant, and Alexa to look up customer service phone numbers.Cybercriminals are aware of users’ reliance on these features and have devised ways to trick them into paying fees for services they didn’t expect to be charged for, the Michigan Attorney General’s office said yesterday. If the fake phone number appears in the top search results, the voice assistants will choose it.
Increasingly, scammers are targeting cord cutters by putting fake customer service phone numbers online. Cord cutters searching for how to call popular services like Netflix, for example, are not finding the phone number to the service but a scammer’s number. From there, the scammers try to charge them for customer service or get them to sign up for services they don’t need. The Federal Communications Commission estimated that cybercriminals schemes have cost consumers upwards of $330 million last year.
In the meantime, understanding the tactics scammers use is a good way to protect yourself. Bad actors often use phishing scams — email or text messages with cleverly worded requests designed to get you to respond with your personal information. These messages often try to convince you that your payment method failed or your account is compromised — an ask you to click a link to fix it. Do not click the link — even if it sounds urgent.
Source: Gizmodo
https://gizmodo.com/widen-bill-end-fbi-702-warrantless-fisa-searches-1850998812
A rare bipartisan coalition of lawmakers has teamed up to propose major privacy reforms that could fundamentally reign in the US government’s most powerful domestic surveillance tools.If passed, the newly proposed Government Surveillance Reform Act (GSRA) would force law enforcement agencies to obtain a legal warrant before conducting searches as part of Section 702 of the Foreign Intelligence Surveillance Act (FISA). Critics say the current lack of a warrant requirement for accessing the 702 database serves as an unconditional end-run around Americans’ Fourth Amendment protections. The proposed legislation comes towards the tail end of a tense, year-long battle over the future of highly controversial surveillance, which is set to expire at the end of this year.
Section 702, enacted back in 2008, was initially sold as a foreign surveillance tool used to target terrorists. But outdated and under-developed language in the policy has granted intelligence agents and law enforcement with a sneaky back door to harvest vast troves of US communications. Those private communications are then regularly surveilled without a warrant and, in some cases, used to prosecute people in criminal court.
Source: Route Fifty
https://www.route-fifty.com/digital-government/2023/11/delete-act-closes-big-loophole-and-tightens-regulations-data-brokers/391855/
California is the first state to allow residents to request that data brokers delete their personal data, but some worry it will be difficult to implement and enforce.
Known as the DELETE Act, the law signed last month by Gov. Gavin Newsom requires data brokers to register with the California Privacy Protection Agency and disclose the types of personal information they collect. It also mandates that the CPPA create a free and simple way for state residents to direct all data brokers to delete any personal information they hold on them, and imposes civil penalties and fines on brokers that do not follow the law.
This month, researchers at Duke University’s Sanford School of Public Policy found that it is “not difficult” to obtain sensitive data about active-duty military members, their families and veterans, with those records available for purchase for as low as 12 cents each.
…
Source: gHacks Tech News
https://ghacks.net/2023/11/07/suspicious-microsoft-authenticator-requests-dont-trigger-notifications-anymore/
Login requests that are considered suspicious won’t trigger the notifications anymore. Threat actors would bombard users with notification requests in the past, in the hope that users would approve sign-ins eventually to get rid of the notifications. For this, it was necessary to have the correct username and password of the account.
Requests that have potential risks will be suppressed now by Microsoft Authenticator. Factors such as the location of the request or anomalies play a role in the assessment.
Closing Words
The new protective system blocks notifications of suspicious authentication requests now. This should reduce the number of unintentional confirmations by users of Microsoft Authenticator.
Source: Nextgov/FCW
https://www.nextgov.com/cybersecurity/2023/11/nist-releases-revised-cyber-requirements-controlled-unclassified-information/391904/
The proposed revisions will ideally serve as a “balanced, strong starting point” for agencies and contractors that deal with sensitive information, a NIST official said.The National Institute of Standards and Technology on Thursday released draft guidance for protecting sensitive unclassified information, outlining revised cybersecurity requirements for federal agencies and government contractors to take when it comes to safeguarding government data.
The proposed guidelines are the third iteration of NIST’s standards and practices for protecting controlled unclassified information — or CUI — which refers to government-owned or created data that is not classified but still requires security controls.
The updates to NIST special publication 800-171 that were released on Thursday include drafts of both the security requirements and assessment procedures for evaluating threats to CUI. A public comment period for both draft publications will be open until Jan. 12, 2024, and the agency is planning to publish its final rule some time in early 2024.
…
The latest release of NIST’s proposed revisions to 800-171 comes as the Defense Department continues to finalize enhanced cyber requirements for the defense industrial base, known as the Cybersecurity Maturity Model Certification. The certification program requires defense firms to be in compliance with NIST’s standards for safeguarding CUI.
Filed in:
Source: Engadget
https://www.engadget.com/every-car-is-a-smart-car-and-its-a-privacy-nightmare-193010478.html
Mozilla recently reported that of the car brands it reviewed, all 25 failed its privacy tests. While all, in Mozilla’s estimation, overreached in their policies around data collection and use, some even included caveats about obtaining highly invasive types of information, like your sexual history and genetic information. As it turns out, this isn’t just hypothetical: The technology in today’s cars has the ability to collect these kinds of personal information, and the fine print of user agreements describes how manufacturers get you to consent every time you put the keys in the ignition.
So, it makes sense that a car manufacturer would include every type of data imaginable in its privacy policy to cover the company legally if it stumbled into certain data collection territory. Nissan’s privacy policy, for example, covers broad and frankly irrelevant classes of user information, such as “sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information” under types of personal data collected.
And in much the same way a “dumb” tv is considerably harder to find these days, most consumers would be hard pressed to find a new vehicle option that doesn’t include some level of onboard tech with the capacity to record their data. A study commissioned by Senator Ed Markey nearly a decade ago found all modern cars had some form of wireless technology included.
Ford’s privacy policy explicitly states that the owners of its vehicles “must inform others who drive the vehicle, and passengers who connect their mobile devices to the vehicle, about the information in this Notice.” That’s about 60 pages of information to relay, if you’re printing it directly from Ford’s website — just for the company and not even the specific car.
According to Privacy4Cars founder Andrea Amico, be sure to get it in writing from the dealer how they plan to delete your data from the vehicle before reselling it. “There’s a lot of things that consumers can do to actually start to protect themselves, and it’s not going to be perfect, but it’s going to make a meaningful difference in their lives,” Amico said.
Site RSS feed: https://www.engadget.com/rss.xml