Pete Recommends – Weekly highlights on cyber security issues, April 24, 2021

Subject: What are the different roles within cybersecurity?
Source: The Hacker News
https://thehackernews.com/2021/04/what-are-different-roles-within.html

People talk about the cybersecurity job market like it’s a monolith, but there are a number of different roles within cybersecurity, depending not only on your skill level and experience but on what you like to do.In fact, Cybercrime Magazine came up with a list of 50 cybersecurity job titles, while CyberSN, a recruiting organization, came up with its own list of 45 cybersecurity job categories. Similarly, OnGig.com, a company that helps firms write their job ads, analyzed 150 cybersecurity job titles and came up with its own top 30 list. This article is based on research I did with Springboard, one of the first cybersecurity bootcamps with a job guarantee and 1:1 mentorship.

The complicated part is that these titles and roles generally aren’t standardized, plus they constantly change as the industry itself evolves. The National Institute for Science and Technology, in its National Initiative for Cybersecurity Education workforce framework, does try to standardize positions using the notions of:

If you’re looking to build your skill set towards building a career in cybersecurity and a way to get started, Springboard’s cybersecurity bootcamp is one of the first to offer a job guarantee in cybersecurity along with 1:1 mentorship with an industry expert — get a job or your money back.


Subject: Englewood Cliffs NJ sues Intrep Solutions over lost emails
Source: NorthJersey.com
https://www.northjersey.com/story/news/bergen/englewood-cliffs/2021/04/07/englewood-cliffs-nj-sues-intrep-solutions-over-lost-emails/7111650002/

ENGLEWOOD CLIFFS — The borough is suing its former IT professional, claiming it failed to archive official emails and was fraudulent and negligent.The suit filed late last month claims that Intrep Solutions, which started working in the borough in 2012, and owner Cameron Arabi led officials to believe the official email server had archived emails, which was not the case.

According to the suit, the borough shifted to Microsoft Office in 2017 and Arabi was made a global administrator to the account to give him the “appropriate authority” and make sure that emails were archived and that he could conduct audit logs for security purposes.

The lawsuit highlighted that emails from three of the five Democrats who served on the council in recent years had been deleted. Ed Aversa, Gloria Oh and Ellen Park served on the borough’s affordable housing committee and were often at odds with Mayor Mario Kranjac.


Subject: COVID-19-themed cyberattack detections continue to surge
Source: Help Net Security
https://www.helpnetsecurity.com/2021/04/19/covid-19-themed-cyberattack/

McAfee released its new report, examining cybercriminal activity related to malware and the evolution of cyber threats in the third and fourth quarters of 2020. In Q4, there was an average of 648 threats per minute, an increase of 60 threats per minute (10%) over Q3.

“The world—and enterprises—adjusted amidst pandemic restrictions and sustained remote work challenges, while security threats continued to evolve in complexity and increase in volume,” said Raj Samani, McAfee fellow and chief scientist.

“Though a large percentage of employees grew more proficient and productive in working remotely, enterprises endured more opportunistic COVID-19 related campaigns among a new cast of bad-actor schemes. Furthermore, ransomware and malware targeting vulnerabilities in work-related apps and processes were active and remain dangerous threats capable of taking over networks and data, while costing millions in assets and recovery costs.”


Subject: Growing reliance on third-party suppliers signals increasing security risks
Source: ZDNet
https://www.zdnet.com/article/growing-reliance-on-third-party-suppliers-signals-increasing-security-risks/#ftag=RSSbaffb68

Adversaries are turning their focus on cheaper, easier targets within an organisation’s supply chain, especially as businesses increasingly acquire software from external suppliers. In this first piece of a two-part feature, ZDNet looks at how organisations in Asia-Pacific are facing more risks even as the perimeter they need to protect extends far beyond their own networks.There had been a spate of third-party cybersecurity attacks since the start of the year, with several businesses in Singapore and across Asia impacted by the rippling effects of such breaches.

Ang told ZDNet in a video call that the IT ecosystem had been built for efficiencies and speed of deployment. To do this in software development, libraries or DLL (Dynamic Link Libraries) had to be established so data could be pulled from different places.

Enterprises also did not build every application on their own, choosing instead to acquire software from external suppliers. “And whoever they acquire from has their own software development system that we have to trust they are securing,” he noted.

Cheaper, easier targets within supply chains


RELATED COVERAGE


Subject: Our Privacy Progress and the Path Ahead
Source: About Facebook
https://about.fb.com/news/2021/04/our-privacy-progress/

Two years ago, we announced our plans to fundamentally shift our approach to protecting people’s privacy. Today, I’d like to share the continued progress we’ve made by publishing a new Privacy Progress Update that provides our most detailed look to date at the work we’re doing to embed privacy into all facets of our company and the investments we’re making to keep improving our privacy technology and practices. You may have seen some of these updates in the form of new privacy tools and controls in our apps. Others are less obvious, like the ways we’ve created a cultural shift to make privacy a core responsibility of everyone at Facebook. With today’s update, we’re bringing all of this together to make it easier to understand the details of our privacy approach.As Chief Privacy Officer, Product at Facebook, my job is to oversee our company-wide privacy program and make sure that we respect and honor people’s privacy in everything that we do.


Subject: The FBI removed hacker backdoors from vulnerable Microsoft Exchange servers. Not everyone likes the idea
Source: ZDNet
https://www.zdnet.com/article/the-fbi-removed-hacker-backdoors-from-vulnerable-microsoft-exchange-servers-not-everyone-likes-the-idea/

Last week the US Department of Justice revealed how the FBI had worked to remove malicious web shells from hundreds of computers in the United States that were running vulnerable versions of Microsoft Exchange Server. While the move will have helped keep many organisations secure, it has also raised questions about the direction of cybersecurity.

Hundreds of unmitigated web shells have been identified and removed from hundreds of systems – to such an extent that the Department of Justice says it has removed one hacking group’s remaining web shells entirely.

Even if the intent was good – in short, helping to protect the businesses by removing the access of cyber attackers, and authorised by the courts – this is a significant step by law enforcement.

“The effort by the FBI amounts to the FBI gaining access to private servers. Just that should be a full stop that the action is not OK,” says David Brumley, professor of electrical and computer engineering at Carnegie Mellon University and co-founder and CEO of ForAllSecure, a cybersecurity company.

“We don’t want a future where the FBI determines someone may be vulnerable, and then uses that as a pretext to gain access. Remember: the FBI has both a law enforcement and intelligence mission. It would be the same as a police officer thinking your door isn’t locked, and then using that as a pretext to enter,” he says.

filed: https://www.zdnet.com/topic/security/

MORE ON CYBERSECURITY


Subject: FTC Says Racist Algorithms Could Get You In a Lot of Trouble
Source: Gizmodo
https://gizmodo.com/the-ftc-says-racist-algorithms-could-get-you-in-a-lot-o-1846723684

Tentatively excellent news! The FTC has declared that it is serious about racist algorithms, and it will hold businesses legally accountable for using them. In a friendly-reminder type announcement today, it said that businesses selling and/or using racist algorithms could feel the full force of their legal might.“Fortunately, while the sophisticated technology may be new, the FTC’s attention to automated decision making is not,” FTC staff attorney Elisa Jillson wrote in a statement on Tuesday, adding that the agency “has decades of experience” enforcing laws that racist algorithms violate. They write that selling and/or using racially biased algorithms could qualify as unfair or deceptive practices under the FTC Act. They also remind businesses that racial discrimination (by algorithm or human) could violate the Fair Credit Reporting Act and the Equal Credit Opportunity Act.

The effects of algorithmic racial bias and automated white favoritism spill out far beyond the types of products Facebook serves us. Racist algorithms have been shown to disproportionately deny Black people recommendations for specialized healthcare programs. They have priced out higher interest rates on mortgages for Black and Latinx people than whites with the same credit scores. They have drastically exaggerated Black defendants’ risk of recidivism, which can impact sentencing and bail decisions. They have encouraged police to target locations and arrest records which perpetuate further disproportionate arrests in Black communities. The list goes on.

In other words, no one knows the extent of racist algorithms’ damage, and the FTC urges businesses to hold themselves accountable or the FTC “will do it for you,” read: the FTC will come for you, even if you’re a small potatoes Honda dealership.


Subject: CISA confirms U.S. agencies affected by Pulse Connect VPN vulnerabilities
Source: FCW
https://fcw.com/articles/2021/04/20/pulse-secure-vpn-cisa-vuln.aspx

The Cybersecurity and Infrastructure Security Agency on Tuesday confirmed that a number of federal agencies were compromised by a threat actor last year through vulnerabilities found in virtual private networking software made by Pulse Connect Secure.

In a blog post on Tuesday, cybersecurity firm FireEye detailed its investigation into 12 malware families all associated with exploiting Pulse Secure VPN devices. The company labeled the hacking campaigns behind the attacks as UNC2630 and UNC2717. The former is suspected to be working on behalf of the Chinese government and targeting defense industrial base contractors, according to FireEye.


Subject: 10 most common passwords used by healthcare employees
Source: Becker’s IT Health
https://www.beckershospitalreview.com/cybersecurity/10-most-common-passwords-used-by-healthcare-employees.html

When it comes to preferred passwords among healthcare industry employees, many are choosing weak options that can make their employer hospital or health system organization vulnerable to cyberattacks, according to an April 20 NordPass report. For its analysis, NordPass, a password manager for B2B and B2C clients, partnered with a data breach research company to examine data from public third-party breaches that affected Fortune 500 companies. The researchers analyzed data from 15,603,438 breaches and categorized the top 10 passwords used in 17 different industries.

Here are the 10 most common passwords healthcare industry employees use, according to the report. Passwords marked by an asterisk (*) are a company name or variation of it; NordPass did not name the companies.


Subject: Postal Service Cops Are Monitoring Social Media: Document
Source: Gizmodo
https://gizmodo.com/postal-service-cops-are-monitoring-social-media-sensit-1846735276

Add another pushpin to the string wall of America’s shadowy force of postal service cops. Yahoo News reports that the USPS’s security arm, the United States Postal Inspection Service (USPIS), monitored social media for potential threats of domestic violence. According to a USPIS memo obtained by Yahoo News, the agency collected “inflammatory” Parler and Telegram posts ahead of planned March 20 protests and shared them with other agencies.

The two-page document, which is labeled “law enforcement sensitive” and was distributed by a DHS intelligence “fusion center,” reads in part:

Mail tie-ins seem to be sort of loose. In a 2019 year-end report, the USPIS said that it employed 1,289 inspectors charged with enforcing “roughly 200 federal laws, covering crimes that include fraudulent use of the U.S. Mail and the postal system.” This surprisingly thrilling tie-in means that they hunt down prolific mail thieves, mail marketers, dark web-sourced mailed drugs, drug delivery bribes, and even on a $7 billion fraud scheme. But it also has a long-running unit for investigating child exploitation material, which, it seems, may or may not be detected through the process of flowing through mail. In its 2019 year-end report, for example, USPIS said that it was handed an investigation into a hard drive (which had at one point been mailed) containing child sexual abuse material, but the investigation was passed along from a Rhode Island internet child abuse task force, not seized en route or at a delivery point.

And, as the Washington Post has noted, the postal service’s investigatory powers granted since 1775 make it the oldest law enforcement agency in the country. The USPIS’s report suggests that it collaborates with virtually every federal investigatory body, including the Securities and Exchange Commission, Customs and Border Protection, the Department of Justice, the Department of Defense, the FBI, the DEA, and more.


Subject: TSA exploring mobile driver’s licenses for REAL ID identity verification
Source: GCN
https://gcn.com/articles/2021/04/22/real-id-state-mobile-drivers-license.aspx

With several states exploring mobile driver’s licenses, the Transportation Security Administration is seeking comments on what changes it might need to make so agencies can accept mDLs for REAL ID Act-compliant identification for access to federal facilities, nuclear power plants and boarding federally regulated commercial aircraft.Typically accessed through a smartphone app, mDLs offer advanced features that provide greater security than physical licenses for verifying an individual’s identity, enable stronger privacy protections and improve health and safety through touchless identity verification.Like a physical driver’s license, mDL data originates from an individual’s identity information that is maintained by a state Department of Motor Vehicles or equivalent agency. For federal agencies to be able to accept an mDL, they would have to trust that the identity data came from the issuing DMV and that it was transmitted unaltered. For physical IDs, that trust is conveyed through a card’s security features that are designed to deter and detect forgery and counterfeiting. Because mDLs have no physical form, the trust ecosystem must allow for standardized, secure communications between a DMV, a mobile device and a federal agency, according to the proposed rule.


Subject: How Do You Retire Technology and Limit Risk?
Source: Nextgen
https://www.nextgov.com/ideas/2021/04/how-do-you-retire-technology-and-limit-risk/173448/

The challenge is that while many get excited about the new software when it’s installed, too few make long-term plans for removal at software end of life.Federal agencies have a software accumulation problem. While they have countless options when it comes to selecting software, IT leaders routinely purchase and build out mission-specific environments and when those resources are no longer needed, they have to decide what to do. So what options do you have? Do you replace or do you remove? And, in either case, do you feel confident that you will be able to completely replace or remove? This question may not be as simple as it sounds.

Remember, if agencies do not secure endpoints in real-time, then their networks are not secure. It’s not uncommon for agencies to work off data that is days or weeks old. However, today’s cyber attackers only need minutes to achieve their goals. Attacks on federal systems are coordinated and executed in real-time, so it’s critical federal organizations have the same speed, scale, and accuracy—all of which are only possible with real-time data for enterprise visibility and control.

Posted in: Big Data, Civil Liberties, Cybercrime, Cybersecurity, Email Security, KM, Legal Research, Privacy, Social Media, Spyware, Technology Trends