Pete Recommends – Weekly highlights on cyber security issues, January 31, 2021

Subject: Microsoft Deals Blow To Chrome With A Bunch Of Exciting New Edge Features
Source: Forbes
https://www.forbes.com/sites/kateoflahertyuk/2021/01/24/microsoft-deals-blow-to-chrome-with-a-bunch-of-exciting-new-edge-features/

Microsoft is wasting no time this year trying to catch up with its biggest browser rival Google Chrome. It’s not even the end of January, and Edge has just launched new features including a password generator and monitor, as well as its long-awaited Sleeping Tabs, new themes and revamped icons.The password generator aims to make Edge users safer by suggesting secure and complex credentials when you sign up to a new service or change your password, Microsoft wrote in a blog. Meanwhile the password monitor notifies you when your details turn up in a breach. Chrome already offers a similar feature.The Microsoft Edge password move is great for security, and better than nothing at all, but a third party password manager such as 1Password or LastPass is frankly, better. This is because they don’t limit you to just one browser….

Other cybersecurity articles: https://www.forbes.com/cybersecurity


Subject: Apple: Keep iPhone 12 and MagSafe Away From Medical Devices
Source: Gizmodo
https://gizmodo.com/apple-if-you-have-a-medical-device-keep-it-a-safe-dis-1846122303

Although Apple has long acknowledged that its iPhone 12 lineup and MagSafe accessories may interfere with medical devices, such as pacemakers and defibrillators, it released additional guidance for people who use medical devices on Saturday. The message: Keep your iPhone 12 and MagSafe accessories a safe distance away from your medical device.In an support article, spotted by MacRumors, Apple explains that the iPhone 12 contains magnets as well as components and radios that emit electromagnetic fields The company also stated that all its MagSafe accessories contain magnets as well, and that its MagSafe Charger and MagSafe Duo Charger contain radios. These magnets and electromagnetic fields may interfere with medical devices, Apple said.

Apple repeated this advice in the safety information section of its iPhone User Guide.

The safety of some of Apple’s newest products has been a point of concern in recent weeks following the publication of a study authored by researchers from the Henry Ford Heart and Vascular Institute that found evidence that the iPhone 12 can interfere with implantable cardioverter defibrillators, also known as ICDs.


Subject: DIA Skips Warrants for U.S. Phone Location Data by Buying It in Bulk, Memo Says
Source: Nextgo
https://www.nextgov.com/analytics-data/2021/01/dia-skips-warrants-us-phone-location-data-buying-it-bulk-memo-says/171618/

A privacy expert called the disclosure “alarming.”The Defense Intelligence Agency buys commercially available cellphone location data and uses this data to search for device locations in the U.S. without warrants, according to a memo.

DIA officials wrote in a memo to  Sen. Ron Wyden, D-Ore., that its analysts were granted permission to search the database containing U.S. device locations five times in the past two and a half years. The memo, dated January 15, was first reported by the New York Times on Friday.

In the memo, DIA says it funds “another agency” to purchase the data, which is not separated by country of origin when DIA receives it. DIA then filters U.S. location data points into a separate database that analysts can query after receiving permission from DIA’s leadership, lawyers and oversight body. DIA confirmed in the memo it does not seek warrants to conduct these searches.

Mana Azarmi, policy counsel for the Center for Democracy and Technology’s Freedom, Security & Technology Project, told Nextgov in an email DIA’s disclosure is “alarming.” Azarmi said the Supreme Court was explicit in declaring location data as remarkably sensitive in the Carpenter decision.

Azarmi added DIA’s disclosure demonstrates the urgent need for legislation to protect the Fourth Amendment. Wyden reportedly plans to introduce legislation related to this issue in the coming weeks. A spokesperson for Wyden could not be reached for comment in time.

filed


Subject: Google TAG: North Korean Hackers Targeted Security Researchers
Source: Gizmodo
https://gizmodo.com/north-korean-hackers-successfully-phished-cyber-researc-1846130385

A recent phishing campaign by North Korean nation-state hackers successfully duped a number of security professionals who were involved in vulnerability research and development, according to a new report from Google’s Threat Analysis Group.The unnamed threat group used various social engineering tactics to pose as fellow “white hat” security specialists, ensnaring the unsuspecting experts by convincing them that they were looking to collaborate on research, the TAG report shows.

The biggest part of this ruse involved the creation of a fake research blog, replete with write-ups and analysis. The hackers even lured in unsuspecting “guest” security writers to contribute, in an apparent “attempt to build additional credibility.” They also posted YouTube videos via social media in which they deconstructed “fake exploits” that they had executed—another scheme to build trust.

More articles: https://gizmodo.com/c/privacy-and-security


Subject: AI-powered text from this program could fool the government
Source: WireDd via Ars Technica
https://arstechnica.com/tech-policy/2021/01/ai-powered-text-from-this-program-could-fool-the-government/

[no relation to me] In October 2019, Idaho proposed changing its Medicaid program. The state needed approval from the federal government, which solicited public feedback via Medicaid.gov.

Roughly 1,000 comments arrived. But half came not from concerned citizens or even Internet trolls. They were generated by artificial intelligence. And a study found that people could not distinguish the real comments from the fake ones. The project was the work of Max Weiss, a tech-savvy medical student at Harvard, but it received little attention at the time. Now, with AI language systems advancing rapidly, some say the government and Internet companies need to rethink how they solicit and screen feedback to guard against deepfake text manipulation and other AI-powered interference.

The Centers for Medicare and Medicaid Services says it has added new safeguards to the public comment system in response to Weiss’ study, though it declines to discuss specifics. Weiss says he was contacted by the US General Services Administration, which is developing a new version of the federal government website for publishing regulations and comments, about ways to better protect it from fake comments.

Weiss discovered GPT-2, a program released earlier that year by OpenAI, an AI company in San Francisco, and realized he could generate fake comments to simulate a groundswell of public opinion. “I was also shocked at how easy it was to fine tune GPT-2 to actually spit out the comments,” Weiss says. “It’s relatively concerning on a number of fronts.”

Politically driven misinformation has become a critical issue in American politics. Joan Donovan, research director of the Shorenstein Center on Media, Politics and Public Policy at the Harvard Kennedy School, warns that sophisticated AI may not be needed to erode people’s sense of what’s true. “People’s emotions are frayed, and that makes them very vulnerable to convenient explanations rather than difficult truths,” Donovan says.


Subject: Philadelphia ends vaccine registration partnership over possible sales of patient data
Source: Becher’s Health IT
https://www.beckershospitalreview.com/cybersecurity/philadelphia-ends-vaccine-registration-partnership-over-possible-sales-of-patient-data.html

The Philadelphia Department of Public Health terminated its partnership with Philly Fighting COVID, the organization overseeing its largest COVID-19 vaccination site, after learning the group had become for-profit and altered its data policy to allow potential sales of users’ information, according to local NBC affiliate WCAU.The city announced Jan. 25 that it had learned Philly Fighting COVID updated its data privacy policy, which could allow the organization to sell data through its preregistration site.

“The City has not been notified of any of these data having been sold. But for PFC to have made these changes without discussion with the City is extremely troubling,” a health department spokesperson said, according to the report. “As a result of these concerns, along with PFC’s unexpected stoppage of testing operations, the Health Department has decided to stop providing vaccine to PFC.”

More articles on cybersecurity:
Cyberattack knocks county health department’s IT systems offline in northern Washington
OCR lifts HIPAA penalties for COVID-19 vaccine scheduling apps: 5 details
Texas health system cyber attack exposes patients’ personal info: 4 details


Subject: Fraudulent Applicants for Paycheck Protection Program (PPP) and a Surge in Criminal Referrals from Small Business Administration
Source: Transactional Records Access Clearinghouse
https://trac.syr.edu/tracreports/crim/638

The U.S. Small Business Administration (SBA) made more criminal referrals to federal prosecutors at the Department of Justice in FY 2020—a total of 91—than any year in the past two decades. Referrals began increasing in April 2020 after efforts began to identify those who submitted fraudulent bank loans under the Paycheck Protection Program (PPP) established by the CARES Act. SBA referrals also remained higher than usual during the first three months of FY 2021 (October – December 2020). In fact, between April 2020 and the end of December 2020, a total of 102 new referrals were made.Just what proportion of recent referrals reflect alleged fraud under the CARES Act is uncertain since specific details of these referrals will only become public once prosecutions actually are filed. But the timing of this upsurge in referrals as well as details on cases already being filed suggest that alleged fraud in applications for COVID relief was a major driving force. These early results are based on case-by-case government records on SBA referrals obtained and analyzed by the Transactional Records Access Clearinghouse (TRAC) at Syracuse University after successful litigation that required their release.

Subject: Apple urges users to install security upgrade to iPhones, iPads
Source: The Associated Press, Nexstar Media Wire via WTAJ

https://www.wearecentralpa.com/news/national-news/apple-urges-users-to-install-security-upgrade-to-iphones-ipads/

CUPERTINO, Calif. (AP) — Apple is urging iPhone and iPad users to update their devices to fix security flaws that might have been “actively exploited” by hackers.Apple made the software upgrades available Tuesday, adding a rare note suggesting it was a serious threat.The company credited anonymous researchers for pointing out the vulnerability but provided little details about the nature of the threat.

 

Subject: Cyber Diplomacy: State Should Use Data and Evidence to Justify Its Proposal for a New Bureau of Cyberspace Security and Emerging Technologies
Source: U.S. GAO
https://www.gao.gov/products/GAO-21-266R

The State Department notified Congress in 2019 of its plan to create a new bureau to focus on cybersecurity and the security aspects of emerging technologies. In January 2021, the Secretary approved the bureau’s creation. The Chair and Ranking Member of a House committee asked us to review State’s efforts to advance U.S. interests in cyberspace.

State provided briefing slides with options on where to place the bureau and a memo on its final decision. But the documents did not show that State used evidence to justify its proposal or explain how it would address any challenges.

We recommended that State use evidence to justify its proposal.

What GAO Found View Report (PDF, 14 pages)


Subject: USPS expands digital fingerprinting at hundreds of post offices
Source: FedScoop
https://www.fedscoop.com/usps-expands-digital-fingerprinting/

The U.S. Postal Service is expanding the digital fingerprinting service it offers the public to hundreds of new post offices this year. USPS struck a deal with French security company IDEMIA to bring its biometric capture and in-person proofing services to between 400 and 500 post offices, out of 31,000, by the end of 2021.

The financially ailing agency wants to use its nationwide retail network to generate more revenue, while also meeting its five-year strategic goal to improve people’s access to e-government services.

“We’ll be able to scale at whatever pace they want to once the initial solution is delivered,” Shane Powers, vice president of operations at IDEMIA National Security Solutions, told FedScoop.

USPS hopes to extend digital fingerprinting to other federal agencies as well, making it a bigger player within the employee vetting space across government.


Subject: As U.S. Capitol investigators use facial recognition, it begs the question: Who owns our faces?
Source: LLRX
https://www.llrx.com/2021/01/as-u-s-capitol-investigators-use-facial-recognition-it-begs-the-question-who-owns-our-faces/

Who owns your face? Of course, a silly question … right? But what about the data generated from your face? And what does it mean to have your face become data?

Already, plenty of data about millions and millions of faces exist. We have volunteered our faces in social media posts and photos stored in the cloud. But we’ve yet to determine who owns the data associated with the contours of our faces.

In the age of Big Tech, we need to grapple with what expectations we can and should have about who has access to our faces. The recent riot at the U.S. Capitol has put the question into the spotlight as facial recognition becomes a vital tool in identifying rioters: What is the power of facial recognition technology, and are we ready for it?

Even before the riots, facial recognition technology was being used in many ways that we probably haven’t seriously considered, and many of us have voluntarily contributed to creating data about our faces, either explicitly or implicitly. Facial recognition technology, for example, is ubiquitous in public spaces.

What rights do we have when we volunteer our faces to datafication? Journalist Rebecca Heilweil documents the many ways we bring facial recognition technology into our lives. Many of us are familiar with Facebook’s photo-tagging technology that tags not just your face, but other people in your photos. This technology is also present in Google and Apple’s photo apps.

We know about the biases in our existing data against people of colour, women and of low-income status. We know police who use these biased data in the name of algorithmic policing has resulted in harassment of targeted communities and the wrongful arrests of Black people.

Posted in: AI, Civil Liberties, KM, Legal Research, Privacy, Technology Trends

Author – Wendy H. Wong, Professor of Political Science, University of Toronto. Research Lead at the Schwartz Reisman Institute for Technology and Society, and Canada Research Chair in Global Governance and Civil Society.

Subject: U.S. Intelligence Claims China Wants to Steal Your DNA
Source: Gizmodo
https://gizmodo.com/u-s-intelligence-claims-china-wants-to-steal-your-dna-1846156502

China has been accused of stealing a lot of things from America: intellectual property, “jobs and wealth,” even our beloved role as the world’s biggest jerk. Now, U.S. national security officials warn that America’s greatest adversary wants to steal our genetic makeup, too. The Chinese biotech firm BGI Group recently offered to “build and run” Covid-19 testing centers in multiple U.S. states—including California, New York, and half a dozen others—but Bill Evanina, one of the top federal intelligence officials in the country, issued a dire warning against it, according to a new report from “60 Minutes.”

Evanina, who at the time served as director of the National Counterintelligence and Security Center, sent a bulletin to governments and hospitals warning them that “foreign powers can collect, store and exploit biometric information from covid tests.” In a recent CBS interview, Evanina made an even bolder claim: that the reason the Chinese are trying to collect Americans’ data is to “win a race to control the world’s biodata.”

National security concerns about the DNA threat seem to boil down to the idea that if the Chinese have too much data on our genetics it will give them undue influence over us politically. A 2019 report prepared for the U.S.–China Economic and Security Review Commission claims that China might use the DNA it has collected to make targeted attacks on “sensitive US persons,” but doesn’t elaborate further on how or why this would occur:

Posted in: AI, Big Data, Civil Liberties, Cybersecurity, Government Resources, Healthcare, KM, Legal Research, Privacy, Search Engines, Social Media, Technology Trends