Alerts, Best Practices, Business Continuity, Hacks, Legal, News Bites, Privacy, Safety

Security News for the Week Ending September 8, 2023

Leave a comment

Want a .US Domain? Just Lie About It.

The .US top level domains are a hotbed for phishing attacks. Apparently, this is due to lax oversight. In theory, the .US is managed by the US government, but the government outsources that to GoDaddy – who doesn’t have a stellar cybersecurity reputation to be polite. See here and here, for example. When asked about verifying that buyers are US citizens, GoDaddy said that buyers have to check a box on their website saying that they are US citizens. Maybe GoDaddy needs to re-evaluate or the Department of Commerce, who contracted out to them, needs to re-evaluate. Credit: Brian Krebs

Well, This Qualifies as Super Embarrassing

Toyota was forced to halt production in 12 of its 14 Japan-based manufacturing facilities in late August for several days at a cost of 13,000 cars not made, per day. What sort of ransomware caused this? None. It was caused by a lack of disk space during a system maintenance period which caused a cascading failure, bringing production to a halt. In addition, their DR plan was completely faulty, stopping them from being able to come up on their DR site. This is not that uncommon, but if you need help avoiding situations like this, please contact us. Credit: Bleeping Computer

Bad Week for Crypto Scammers; Good One for The Rest of Us

The courts sentenced Thodex’s crypto scammer ($2 billion) CEO and his brother and sister to 11,196 years in prison. And no, that is not a typo. Should keep them under control. Also a fourth FTX exe pleads guilty and agrees to forfeit $1.5 BILLION. That can’t be good for Bankman-Fried having that many execs testifying against him. Credit: Coindesk and CNN

CISA Says They Are Wrapping Up Cyber Incident Reporting Guide Ahead of Schedule

Last year’s spending bill requires critical infrastructure to report cyber incidents. Congress gave them two years to publish an interim rule; they are going to do it in about a year. Stay tuned for what is in it. Credit: The Record

Is That Encrypted App Really Secure?

If you are going to be a crook and protect your communications via an encrypted app, make sure that the app is actually secure. Europol has taken down three encrypted apps used by crooks – EncroChat, SkyECC and ANOM and they say that has given them “unprecedented insight” into the ways of the underworld. This time they arrested 6, seized 2.7 TONS of coke, watches and about a half mil in cash. Not bad for a day’s work. Credit: The Register

Alerts, Audit, Best Practices, Legal

California Releases Draft Audit and Risk Assessment Regs

Leave a comment

The California Privacy Protection Agency, the government agency that enforces the California Privacy Rights Act, has released two DRAFT documents recently. They are going to discuss the drafts at their meeting tomorrow but they have not yet started the rulemaking process.

The two regulations are the cybersecurity audit regulations and the cyber risk assessment regulations.

Some of the main points of the audit regulations are:

  • Outline the requirement for annual cybersecurity audits for businesses “whose processing of consumers’ personal information presents significant risk to consumers’ security”;
  • Outline potential standards used to determine when processing poses a “significant risk”;
  • Propose options specifying the scope and requirements of cybersecurity audits; and
  • Propose new mandatory contractual terms for inclusion in Service Provider data protection agreements.

For the risk assessment regulations, some of the key points include:

  • Propose new and distinct definitions for Artificial Intelligence and Automated Decision-making technologies;
  • Identify specific processing activities that present a “significant” risk of harm to consumers, requiring a risk assessment. These activities include:
    • Selling or sharing personal information; Processing sensitive personal information (outside of the traditional employment context);Using automated decision-making technologies; Processing the information of children under the age of 16; Using technology to monitor the activity of employees, contractors, job applicants, or students; or
    • Processing personal information of consumers in publicly accessible places using technology to monitor behavior, location, movements, or actions.
  • Propose standards for stakeholder involvement in risk assessments;
  • Propose risk assessment content and review requirements;
  • Require that businesses that train AI for use by consumers or other businesses conduct a risk assessment and include with the software a plain statement of the appropriate uses of the AI; and
  • Outline new disclosure requirements for businesses that implement automated decision-making technologies.

Even if you are not required to comply with this right now, think about this. Two years ago there was one state with a second-generation privacy law. Now there are more than a dozen. It is moving very fast.

Credit: Ballard Spahr

Alerts, Best Practices, Privacy

Is Google’s Incognito Mode Private?

Leave a comment

That question is the basis of a FIVE BILLION DOLLAR lawsuit.

Google’s Chrome incognito mode is the tool of choice for people who want to keep their web activity private. The use of it is often called private browsing or porn mode, depending on who you talk to.

There are legitimate reasons to use incognito mode that actually do serve a purpose. For example, online flight booking sites track your activity and after you have searched an itinerary several times, they start raising prices to trick you into booking now. Since incognito mode deletes your cookies when you close your browser, it can help with keeping your airfare low.

What it does not do is hide your browsing from your boss, your Internet provider, your DNS provider or any website that you visit. Websites, in particular, fingerprint your computer as a way to track you in between sessions. Sometimes this can even track you across devices.

In a lawsuit filed a few years ago, some folks who thought that “Don’t be Evil” was still part of Google’s business motto (it is not), found it more than a little bothersome that, despite Google’s assurances of privacy, Incognito mode does not really offer you much privacy. Except, to some degree, from someone who is sharing the same login on the same computer as you use. Beyond that, it does not do much.

Google claims that if you read the first screen that pops up when you enter incognito mode, it tells you that your browsing is not really private:

Curiously, other Chromium browsers don’t even offer that warning. I don’t know when Google added this warning – possibly after the lawsuit was filed.

Google says that they have been consistent – saying that they have never said that incognito mode is a Harry Potter invisibility cloak.

While at least some techies understand the small amount of privacy incognito mode gives you, it is equally likely that the average user does think this is an invisibility cloak and Google really hasn’t done a lot to eliminate that confusion. After all, if the average user understands that it is basically useless from a privacy standpoint, they might actually push for something that does enhance their privacy – at a risk to Google’s pocketbook.

To add to Google’s concerns, apparently some Google engineers were joking about the effectiveness of incognito mode as far back as 2018. This doesn’t help Google’s case.

It is not clear how Google might “settle” this case outside of court and admitting that the whole thing is a joke might leave them open to more lawsuits.

Stay tuned. Credit: Cybernews

Uncategorized

Twitter Continues to Morph – With Privacy Issues

Leave a comment

Twitter modified its privacy policy to allow it to collect users’ biometric data.

They say this is to tackle fraud and impersonation on the site.

The new privacy policy, which goes into effect on September 29th, says they will be collecting biometric data for safety, security and identification purposes. The details are kind of missing at this point. What biometric data? How are they collecting it? How long are they keeping it? And most importantly, how are the securing it.

They have said that this is limited to paid (premium) users and they will be given the option to provide a government ID and picture. Some of us do this for government and other high security websites, but this will be a first for a social media site.

The new privacy policy is also expected to all them to collect users’ employment and educational history, similar to LinkedIn, and for similar purposes. It would be to match you with employers, with whom they would share your information.

As Twitter tries to expand its desirability, they have also added a crude version of encrypted direct messages, but they have not provided any information about how they are encrypted or how secure that feature is.

And, like everyone else, they say that they may use the information they collect and also publicly available information to train their Ai models. They say this will only include public data – no DMs or private data.

While none of this raises alarm bells, it certainly does suggest that Twitter wants to collect, store, massage and manage a lot more of your personal data. What is much less clear is what controls will be in place after Twitter let go so many people.

They will also have to comply with the new EU digital services act that went into effect last month.

I think they have their work cut out for them with the entire universe watching them.

One key thing for their financial success is how to convince people to switch:

  • from a free to paid platform
  • from a known platform (like LinkedIn or Signal) to a platform that is known but with features that are unknown.

Stay tuned. This is, as they say, a developing story. Credit: The Hacker News

Alert, Apple, Hacks, Legal, News Bites, Privacy, Safety

Security News for the Week Ending September 1, 2023

Leave a comment

What Does $50,000 in iPads Get You?

The answer may be a prison sentence for bribery. The case is going back and forth, but now the case is back on. The head of Apple security wanted some concealed carry permits for his team and since the process wasn’t going as fast as Apple would like, they offered to “donate” $50,000 worth of iPads to the Sheriff in exchange for the permits. Sounds like a bribe. Credit: Cybernews

The FBI is Getting Good at This

After the FBI nuked the Qakbot malware network with assistance from international law enforcement, it figured out how to uninstall the malware from 700,000 infected computers. After they got control of the hacker’s admin servers, they wrote a program that it pushed out as an update to the malware. Note to hackers: if you can update your software, so can the FBI. The FBI had to reverse engineer the software, but with control of the hacker’s infrastructure, that was less difficult. Credit: Bleeping Computer

Apple Releases the Most UNlocked iPhone Ever – to Security Researchers

Apple does this every now and then. The Security Research Device (SRD) is a specially-built hardware variant of iPhone 14 Pro, with tooling and options that allow researchers to configure or disable many advanced security protections of iOS. Researchers can install and boot custom kernel caches on it, run arbitrary code, start services at startup, persist content across restarts, and more. This is much smarter of Apple than fighting with the security research community. Credit: Helpnet Security

Reminder – Windows 11 Will Force-Update if You Are Running 21H2 – Next Month

I can’t test this because I am running 23H2, but if you are running an old version of Windows 11, don’t be surprised one day when you wake up to a new version of Windows on your computer (you will see a message telling you to reboot to get this wonderfulness). This will not affect centrally managed business systems. You can find out what version you are running by typing WINVER in the magnifying glass window and selecting the Winver app. Credit: Bleeping Computer

US, Like China, Is Collecting DNA on up to 10 Percent of the Population

The FBI has collected DNA on over 20 million Americans – about 10% of the population including babies. And, the FBI wants to double its budget for DNA collection because it is adding 90,000 samples a month and expects that to increase to 120,000 a month. Years ago, the CODIS (Combined DNA Index System) was designed to collect DNA from violent felons and sex offenders. Since even breathing discards DNA, it is easy for local police to collect DNA from almost anyone if they want to. Even if you don’t think the Intercept is credible, the FBI is admitting what they are doing in the request for more money. Credit: The Intercept

Legal, Privacy, Safety

Microsoft Joins Opposition to Proposed UN Cybercrime Treaty

Leave a comment

The ink isn’t even dry yet; in fact the treaty has not even come up for debate in the UN and won’t until January. If it makes it out of the drafting process, it will either take a two-thirds vote or a consensus to pass.

The issue is that repressive regimes like Russia and China want the treaty to be vague and open to abuse. Allowing them to to criminalize online content, suppress dissent and go after human rights.

It would also allow countries to increase surveillance in the name of fighting cybercrime.

This is not the first year the UN has been working on such a treaty. In fact, it is the 6th try. But there are still a lot of disagreements – like what is the definition of cybercrime anyway.

The current draft also lacks transparency – there are no provisions for data custodians to notify their clients of surveillance. Surveillance could occur in total secrecy.

The treaty also does not protect security researchers. This is probably the most favorite piece of cyber criminals. No research means bugs will persist. And be used/abused.

It is not clear if this treaty would need to be ratified by individual governments, but if it does, the authoritarian governments will ratify it and the rest of the countries may not.

This is definitely something to watch. Credit: The Record

Privacy, Security and Cyber Risk Mitigation in the Digital Age

Visit Us On FacebookCheck Our Feed