Pete Recommends – Weekly highlights on cyber security issues, October 26, 2024

Subject: Simplifying manual accessibility testing: how plain language instructions drive compliance
Source: Open Data, Design, & Development at the Office of Natural Resources Revenue
https://blog-nrrd.doi.gov/plain-language-accessibility/

Accessibility is one of the foundational pillars for inclusion, diversity, and equity within the federal government. The main way the government establishes accessibility requirements for information and communication technology is through Section 508 of the Rehabilitation Act. The Office of Natural Resources Revenue (ONRR) is committed to making its digital products accessible. Our Open Data, Design, and Development (ODDD) team has previously chronicled ONRR’s efforts to implement accessibility policy, create accessible products, and evaluate what accessibility resources are needed.This blog details how we strive to manually test all our digital products by providing plain language instructions for all testers to follow. Developing these instructions ensures that manual testing methodology is uniform across our agency. It also eases testers’ burden by reducing the amount of time needed to understand each accessibility requirement.

Here are our best practices and main takeaways from this blog post:

[…]

Conclusion -A ccessibility is a fundamental priority for the ODDD team and ONRR. By developing and implementing plain language instructions for both document and website accessibility testing, we empowered not only our small team but also our SMEs to take active roles in ensuring Section 508 compliance. These resources streamlined our manual testing process and created a more consistent and collaborative approach to accessibility. Ensuring that our products are accessible is an ongoing and iterative task. As we learn about new/improved methodologies, we will update our instructions accordingly. As we move forward, our accessibility commitment will continue to guide our efforts in creating inclusive, equitable, and accessible digital experiences for everyone.

See site: https://blog-nrrd.doi.gov/

[13-pages of multiple articles]

Subject: Login.gov facing technical difficulties and cost uncertainty, watchdog says
Source: FedScoop
https://fedscoop.com/login-gov-facing-technical-difficulties-cost-uncertainty/

The single sign-on platform faces scrutiny from the GAO for non-compliance with NIST remote identity proofing standards.

The General Services Administration’s Login.gov, a single sign-on platform that recently made remote identity proofing generally available, needs to address technical challenges concerning the biometric validation pilot program, according to a new government watchdog report.

The Government Accountability Office said that nine of the participating 21 Chief Financial Officers Act agencies reported issues with Login.gov, including lack of fraud controls and visibility into authentications as well as high failure rates. Additionally, eight agencies shared challenges regarding Login.gov’s pricing, including the inability to get a multi-year pricing plan or insight into the service’s annual renewal process, as well as the potential for prices to rise between years.

In This Story

Subject: Microsoft creates fake Azure tenants to pull phishers into honeypots
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/microsoft-creates-fake-azure-tenants-to-pull-phishers-into-honeypots/

Microsoft is using deceptive tactics against phishing actors by spawning realistic-looking honeypot tenants with access to Azure and lure cybercriminals in to collect intelligence about them.With the collected data, Microsoft can map malicious infrastructure, gain a deeper understanding of sophisticated phishing operations, disrupt campaigns at scale, identify cybercriminals, and significantly slow down their activity.

The tactic and its damaging effect on phishing activity was described  at BSides Exeter conference by Ross Bevington, a principal security software engineer at Microsoft calling himself Microsoft’s “Head of Deception.”

Bevington created a “hybrid high interaction honeypot” on the now retired code.microsoft.com to collect threat intelligence on actors ranging from both less skilled cybercriminals to nation state groups targeting Microsoft infrastructure.

Filed: https://www.bleepingcomputer.com/news/security/

Tagged:

Subject: New website tracks government’s many digital services teams
Source: StateScoop
https://statescoop.com/digital-service-network-tracker-2024/

The Digital Service Network created a new online tool that tracks the many digital services teams popping up in all levels of government.

Last week, the Digital Service Network at the Beeck Center for Social Impact and Innovation at Georgetown University published a new online tracker that documents details about government digital service teams across the country.The new Government Digital Service Team Tracker, which was published on the Digital Service Network’s new Digital Government Hub reference website on Oct. 10, so far documents 28 digital services teams, their formation dates, locations, structures, and mandates or enabling legislation, among other information.Along with state-level digital services teams, the tracker includes information about city-level teams and federal teams, such as the U.S. Digital Service and the the General Services Administration’s 18F team.

“We state it on on the Digital Government Hub, but the definition we have settled on for now is that digital service teams are in-house teams of digital practitioners with a certain type of expertise,” said Pulawski, who also works at the Beeck Center’s Intergovernmental Software Collaborative. “We say that expertise needs to, at minimum, be expertise in user-centered design and research and agile product management, and then data-driven decision making.”

In This Story

Filed: https://statescoop.com/news/digital-services/

Subject: Internet Archive breached again through stolen access tokens
Source: Bleeping Computer.
https://www.bleepingcomputer.com/news/security/internet-archive-breached-again-through-stolen-access-tokens/

Internet Archive breached again through stolen access tokens. The Internet Archive was breached again, this time on their Zendesk email support platform after repeated warnings that threat actors stole exposed GitLab authentication tokens.

Since last night, BleepingComputer has received numerous messages from people who received replies to their old Internet Archive removal requests, warning that the organization has been breached as they did not correctly rotate their stolen authentication tokens.

“It’s dispiriting to see that even after being made aware of the breach weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets,” reads an email from the threat actor.

Tagged:

Filed: https://www.bleepingcomputer.com/news/security/

Subject: Meta facial recognition makes a comeback to stop ‘celeb clickbait’
Source: AndroidHeadlines
https://www.androidheadlines.com/2024/10/meta-facial-recognition-comeback.html

Controversial facial recognition is making a comeback on social media platforms owned by Meta. Facebook’s owner claims this time, the technology will help in spotting and censoring clickbait.Facial recognition tech is making a comeback on Meta-owned platforms

Meta has reportedly announced it is bringing back facial recognition technology. The social media giant had attempted to embed the tech into Facebook and other platforms about three years ago. However, it had to shut down the software owing to rising concerns of privacy, and regulator pushback.

This time, facial recognition software is making a comeback to combat “celeb bait” scams. Meta has announced it would start testing the use of facial recognition technology.

The trial run for the tech will reportedly involve around 50,000 public figures. Meta assured it will start notifying the individuals and they can opt out of the program.

The facial recognition tech will compare these celebrities’ profile pictures with images used in suspected scam advertisements. If the tech finds a possible match, and the ad appears to be indeed a fraud, Meta will block the content.

The company recently announced another round of layoffs. Hence, it is quite likely Meta will use its AI to detect questionable content.

Filed: https://www.androidheadlines.com/category/apps

Subject: I thought I understood the extent…
Source: Brian Krebs” Mastodon account
https://newsie.social/@[email protected]/113356559258902466

Direct link to the article – The Global Surveillance Free-for-All in Mobile Ad Data – https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

BrianKrebs

I thought I understood the extent to which the broad availability of mobile location data has exacerbated countless privacy and security challenges. That is, until I was invited along with four other publications to be a virtual observer in a 2-week test run of Babel Street, a service that lets users draw a digital polygon around nearly any location on a map of the world, and view a time-lapse history of the mobile devices seen coming in and out of the area.The issue isn’t that there’s some dodgy company offering this as a poorly-vetted service: It’s that *anyone* willing to spend a little money can now build this capability themselves.

I’ll be updating this story with links to reporting from other publications also invited, including 404 Media, Haaretz, NOTUS, and The New York Times. All of these stories will make clear that mobile location data is set to massively complicate several hot-button issues, from the tracking of suspected illegal immigrants or women seeking abortions, to harassing public servants who are already in the crosshairs over baseless conspiracy theories and increasingly hostile political rhetoric against government employees.

Subject: National Security Agency Mobile Device Best Practices
Source: NSA
https://www.bespacific.com/national-security-agency-mobile-device-best-practices/

NSA Mobile Device Best Practices report offers tips to thwart hackers and attackers from assaulting your mobile device. One method is as simple as turning your phone off and on.{PDF is 2 pages: 1st a graphic, the 2nd a chart]



Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: CFPB Orders Apple and Goldman Sachs to Pay Over $89 Million for Apple Card Failures
Source: Consumer Financial Protection Bureau
https://www.consumerfinance.gov/about-us/newsroom/cfpb-orders-apple-and-goldman-sachs-to-pay-over-89-million-for-apple-card-failures/

Companies illegally mishandled transaction disputes and misled iPhone purchasers about interest-free payment options

Washington, D.C. – Today, the Consumer Financial Protection Bureau (CFPB) took action against Apple and Goldman Sachs for customer service breakdowns and misrepresentations that impacted hundreds of thousands of Apple Card users. The CFPB found that Apple failed to send tens of thousands of consumer disputes of Apple Card transactions to Goldman Sachs, and when Apple did send disputes to Goldman Sachs, the bank did not follow numerous federal requirements for investigating the disputes. Apple and Goldman launched Apple Card despite third-party warnings to Goldman that the Apple Card disputes system was not ready due to technological issues. These failures meant that consumers faced long waits to get money back for disputed charges, and some had incorrect negative information added to their credit reports. The CFPB is ordering Goldman Sachs to pay at least $19.8 million in redress and a $45 million civil money penalty, and Apple to pay a $25 million civil money penalty. The CFPB is also banning Goldman Sachs from launching a new credit card unless it can provide a credible plan that the product will actually comply with the law.

The CFPB also found that Apple and Goldman Sachs misled consumers about interest-free payment plans for Apple devices. Many customers thought they would automatically get interest-free monthly payments when buying Apple devices with their Apple Card. Instead, they were charged interest. In some cases, Apple did not even show the interest-free payment option on its website on certain browsers. Goldman Sachs also misled consumers about the application of some refunds, which led to consumers paying additional interest charges.

Subject: Three US industry groups sue FTC to block ‘Click to Cancel’ rule
Source: AndroidHeadlines
https://www.androidheadlines.com/2024/10/three-us-industry-groups-sue-ftc-to-block-click-to-cancel-rule.html

Three industry groups in the US are suing the FTC to try and block the ‘Click to Cancel’ rule that would make canceling subscriptions easier. If enacted, the rule could force companies to eliminate multiple hurdles subscribers face while canceling their subscriptions.Which US industry groups are suing the US FTC and why?

An industry group representing cable and internet providers, a group representing home security, and one representing online advertising industries are collectively suing the U.S. Federal Trade Commission.

The Electronic Security Association, Interactive Advertising Bureau, and NCTA have filed comments criticizing the rule as overly broad. They are essentially attempting to block a new rule enacted by the FTC. Technical jargon aside, the new rule requires companies to offer simpler mechanisms to cancel subscriptions.

The three groups have collectively filed papers with the 5th U.S. Circuit Court of Appeals in New Orleans against FTC. They have reportedly claimed the ‘Click to Cancel’ rule, “oversteps the FTC’s authority and was not supported by evidence.”

The trio has alleged the FTC’s rule is “arbitrary, capricious, and an abuse of discretion. [FTC is trying to] regulate consumer contracts for all companies in all industries and across all sectors of the economy.”

How will the new rule help American consumers or subscribers?

Proposed last year, the Click to Cancel rule reportedly builds upon the Negative Option Rule, which forbids businesses from forcing customers to follow convoluted methods while canceling their subscriptions. Essentially, the rule states businesses cannot make customers cancel services using a method that differs from how they signed up.

Filed: https://www.androidheadlines.com/category/tech-news

Subject: EU slaps LinkedIn with $334 million fine for targeted advertising
Source: Android Headlines
https://www.androidheadlines.com/2024/10/eu-slaps-linkedin-with-334-million-fine-for-targeted-advertising.html

The EU has slapped a $334 million fine on LinkedIn over its targeted advertising practices. The Microsoft-owned social media platform may not challenge the fine. Instead, it would change its ad practices to comply with the GDPR.LinkedIn fined $334 million by lead European Union privacy regulator

The EU has confirmed LinkedIn is liable to pay a 310 million euro (approx. $334 million) fine. The regulator has fined the Microsoft-owned professional networking platform for its targeted advertising practices.

The Irish Data Protection Commission (DPC) has determined that LinkedIn had improperly conducted behavioral analyses of the EU members’ personal data for targeted advertising. The regulator is relying on the General Data Protection Regulation (GDPR) that’s currently in effect in the EU.

Speaking about the fine on LinkedIn, DPC Deputy Commissioner Graham Doyle stated, “The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects’ fundamental right to data protection.”

LinkedIn
Posted in: Cybercrime, Cybersecurity, Financial System, Legal Research, Social Media