Pete Recommends – Weekly highlights on cyber security issues, August 9, 2024

Subject: Government IT systems in the hands of a single vendor puts agencies at risk
Source: Federal News Network
https://federalnewsnetwork.com/commentary/2024/08/government-it-systems-in-the-hands-of-a-single-vendor-puts-agencies-at-risk/

The Center for Cybersecurity Policy and Law (CCPL) wanted to look at this question of concentration risk. In order to provide both sides of the picture, CCPL conducted a real-time tabletop exercise in April that saw a group of security experts simulating an attack against two fictional U.S. agencies with varying degrees of IT concentration and diversity. The intent of the exercise was to investigate how these differently constructed systems, between the two government agency targets, influenced the actions, successes and failures of the adversarial team testing such networks. This exercise enables cybersecurity professionals to test their defenses, and similar exercises have been conducted by both government and industry.

The exercise showed a stark difference between the two agencies and suggested that having a diverse IT environment can help stave off attackers. After analysis of the results, the Center for Cybersecurity Policy and Law drafted a full report that offered the following recommendations:

Filed: Commentary

Subject: Apple says Safari protects your privacy. We fact-checked those claims
Source: Washington Post via Yahoo
https://www.bespacific.com/apple-says-safari-protects-your-privacy-we-fact-checked-those-claims/

Washington Post via Yahoo: “…Apple deserves credit for making many privacy protections automatic with Safari, which you probably use to browse the web if you have an iPhone, Mac computer or iPad. But Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, said Safari is no better than the fourth-best web browser for your privacy. “If browser privacy were a sport at the Olympics, Apple isn’t getting on the medal stand,” Cahn said. (Apple did not comment about this.) The bottom line if you use Safari: You should feel reasonably good about the privacy (and security) protections, but you can probably do better – either by tweaking your Apple settings or using a web browser that’s even more private than Safari. I’ll dig into the details…”[…]

Subject: Nearly 3 billion people just had their data leaked!!
Source: Android Headlines
https://www.androidheadlines.com/2024/08/3-billion-data-leaked.html

Data breaches happen all the time nowadays, and they usually involve thousands or tens of thousands of people. When more than a million folks are affected, that’s cause for alarm. However, one of the largest breaches in history just happened, and it compromised the data of nearly 3 billion people. Right now, information about this case is still coming out, so you’ll want to stay tuned for updates.A data breach exposed the information of nearly 3 billion people

A breach of this scale is no laughing matter. Tech firms usually have data breaches, but much of the time, the information leaked isn’t too serious. However, this breach is something to keep you up at night.

The company that was breached is called National Public Data. Also called Jerico Pictures, it’s a background check company. So, you can see why it was targeted by data-hungry hackers. It is savvy to the data of billions of individuals, as it needs to access this data to perform the background checks. However, the issue is that the company would tap third-party companies that have people’s data. People whose data is accessed by National Public Data didn’t consent to having their data stored on their servers.

The number of affected individuals stands at 2.9 billion. This makes it one of the biggest hacks in history, trailing behind the Yahoo! breach of 2013. This huge hack means huge consequences for whoever did this if they’re caught. The data, which consists of full names, addresses, social security numbers, and information on people’s relatives, is being listed on the dark web for $3.5 million.

The lawsuit – This big breach comes bundled with a lawsuit. The plaintiff is Christopher Hofmann. He alleges that National Public Data breach of fiduciary duty and third-party beneficiary contract, negligence, and unjust enrichment. He has quite the list of demands including financial compensation. Along with that, he demands that the company conduct a database scanning, bring a security threat management system, segment its data, and employ a third-party entity to evaluate the cybersecurity framework of the company once a year for the next 10 years.

Subject: Lawmakers look to clarify electronic medical device use in secure facilities
Source: Nextgov/FCW
https://www.nextgov.com/people/2024/08/lawmakers-look-clarify-electronic-medical-device-use-secure-facilities/398578/

A Senate bill would charge an “Electronic Medical Device Governance Board” with reviewing agencies’ policies regarding the use of digital healthcare instruments in highly-classified facilities.Two Democratic lawmakers are looking to establish standardized policies and transparency requirements for the use of electronic medical devices in sensitive compartmented information facilities, or SCIFs.

The legislative proposal, from Sens. Peter Welch, D-Vt., and Bob Casey, D-Pa., would pave the way for employees who use certain healthcare instruments to work in the facilities that store highly classified information, while also still maintaining strict security standards.

The bill is primarily focused on outlining the types of devices allowed in SCIFs, while also requiring officials to pay more attention to the medical instruments that are allowed and not allowed in the various classified facilities. Agencies do not typically allow electronic devices, whether cell phones or other digital gadgets, into SCIFs to maintain the security of the sensitive data stored within them.

The legislation would also empower the “Electronic Medical Device Governance Board,” which was outlined in ODNI’s report, with reviewing “electronic medical device security and equity concerns for covered agencies” and establishing “a publicly accessible database of electronic medical devices that have been approved or denied.”

[hope our adversaries don’t have access to that list]

Subject: My journey into the surreal, infuriating future of homeowners insurance
Source: Business Insider
https://www.bespacific.com/my-journey-into-the-surreal-infuriating-future-of-homeowners-insurance/

Insurers have every incentive to be overly cautious in how they build their AI models. No one can use AI to know the future; you’re training the technology to make guesses based on changes in roof color and grainy aerial images. But even the best AI models will get a lot of predictions wrong, especially at scale and particularly where you’re trying to make guesses about the future of radically different roof designs across countless buildings in various environments. For the insurance companies designing the algorithms, that means a lot of questions about when to put a thumb on the scale in favor of, or against, the homeowner. And insurance companies will have huge incentives to choose against the homeowner every time.



Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved. [from the article: ]

Insurers have every incentive to be overly cautious in how they build their AI models. No one can use AI to know the future; you’re training the technology to make guesses based on changes in roof color and grainy aerial images. But even the best AI models will get a lot of predictions wrong, especially at scale and particularly where you’re trying to make guesses about the future of radically different roof designs across countless buildings in various environments. For the insurance companies designing the algorithms, that means a lot of questions about when to put a thumb on the scale in favor of, or against, the homeowner. And insurance companies will have huge incentives to choose against the homeowner every time.

Subject: Text message exploits are scarier than ever, but you can protect yourself with these tips
Source: Android Central
https://www.androidcentral.com/phones/text-message-exploits-are-scarier-than-ever-but-you-can-protect-yourself-with-these-tips

Google shares a growing SMS security issue and advises users on how to take preventative action.What you need to know

  • SMS is still used as a fallback for modern messaging services, like iMessage and RCS, although it is insecure.
  • Bad actors can trick your phone into connecting to a False Base Stations (FBS) or Stingrays, which are portable radio devices.
  • Then, these scammers and fraudsters use the frailty of aging and insecure 2G networks to try and deceive users and capture information.

New messaging standards are the talk of the town, from RCS to iMessage. However, you may know that critical infrastructure still relies on SMS messaging, which is decades old and has many security issues. In fact, SMS and MMS text messages are often used as a fallback when better options, like iMessage or RCS, are unavailable. It’s this reliance on aging and insecure messaging infrastructure that allows bad actors to use it to their advantage, committing text message fraud.

It’s tough to keep up with all the evolving scams and tricks, and Google published a security blog post explaining the latest Android text message scam, which exploits 2G networks. It’s called SMS Blaster Fraud, and it tricks your device into what it thinks is a secure cell tower. Instead, you’re actually connecting to a stranger’s device, which will then be used for a smishing attack (SMS phishing). You could think you’re giving information to a trusted source, but actually end up handing it right over to the bad guys.

So, is it worth disabling 2G to prevent SMS Blaster Fraud? It might be, but a better option may be to become more aware that SMS messages have a high chance of being scams. If you are being asked to share personal information, one-time passwords, or other types of highly sensitive information, it’s probably not authentic. Keeping a keen eye for fraud and scams and being more vigilant could be more helpful in the long run than disabling 2G and forgetting about it.

Subject: Biden to Ban Chinese Driving Tech Amid National Security Fears
Source: tech.co
https://tech.co/news/chinese-driving-tech-in-us-ban

The Biden Administration is moving to ban Chinese software in self-driving vehicles – as the relationship between the two global superpowers continues to sour.In a move that points to wider fears surrounding China’s technological influence, the federal government will soon roll out legislation to prevent Chinese companies from testing their technology on US soil. The federal government has already barred Huawei from selling products in the US and looks set to follow suit with TikTok.

Timelines are not forthcoming, but experts predict that the Department of Commerce (DoC) could table the bill within the next few weeks.

Chinese Automotive Tech in US Government BanAccording to Reuters, the DoC is putting finishing touches to a ban that would leave Chinese big tech companies, such as search engine giant Baidu, out in the cold.

As per the rule, Chinese software would be banned from vehicles with Level 3 automation and above. This refers to cars that fully ‘allow drivers to take their eyes off the road’ – from those that still require a driver, to fully autonomous robo-taxis.

China Pushes Back on Ban – Unsurprisingly, Chinese officials have been quick to voice their dissent. A spokesperson from the Ministry of Foreign Affairs condemned ‘the US’s generalization of the concept of national security and discriminatory practices.’ Retaliation is likely.

Relations between US and China have been tense in the last few years, with former President Donald Trump adopting a particularly hardline stance against the superpower, including banning Huawei from sale in the US. This latest move seeks to loosen China’s grip on the US market.

Whatever the outcome, one thing is for certain – US national security anxieties are spiraling. Commerce is just the latest battleground in a long-running saga.

Tags

Subject: Home Security Giant ADT Admits It Has Been Hacked
Source: TechCrunch via Gizmodo
https://gizmodo.com/home-security-giant-adt-admits-it-has-been-hacked-2000484710

ADT, one of the largest home security providers in the U.S., has been hacked. The breach, which was disclosed in a filing with the Securities and Exchange Commission on Wednesday, involves multiple databases containing customer information, including home addresses, emails, and phone numbers.TechCrunch, which originally reported the breach, notes that the company’s disclosure comes only a week after a seller on a cybercrime forum claimed to have over 30,000 customer records stolen from the company. As ADT’s SEC filing states, the data that was stolen includes “email addresses, phone numbers and postal addresses.”

ADT notably sells home security systems with live video feeds, though the company has stated that these systems were not breached in the course of the incident. In a statement provided to Gizmodo, ADT asserted that “none of our customers’ home security systems were compromised and no personally sensitive information credit card data, or banking information was accessed.” ADT claims that the customers impacted by the breach “comprise a small percentage” of its “overall subscriber base.”

If you are an ADT customer and you were impacted by the recent data breach, you should’ve received a notice from the firm by now. If you want to check with the company, however, ADT has provided a dedicated phone number with a support team to answer customers’ questions. You can call: (866) 437-9016.

Tagged:

Filed: https://gizmodo.com/tech/cybersecurity

LinkedIn
Posted in: Big Data, Cybercrime, Cybersecurity, Data Mining, Financial System, Healthcare, Privacy, Search Engines, Search Strategies, Social Media