The Habits of the IT Privacy and Security Weekly Update for the week ending August 1st 20238/1/2023 This week we suggest new habits to improve your security and lengthen your life. We have a friendly update on what that Nigerian Prince who wanted to give you money a few years back is up to now, and what he might be up to shortly if he gets his hands on the latest batch of PHI to go missing. The US and EU are both keeping an eye on a curious new appetite from one party for old chips, a new coin under the magnifying glass, and one whole country back in the viewfinder. We have an update on why the Clear lines at the airport aren't quite as quick as they were a year ago and we finish with a warning to UK drivers about a new van that looks like a high-rise crane has crashed through its roof, and why you might want to avoid it. This week's update is all about living longer and traveling. Not a bad agenda. Let's book! ---Click on the habit to hear the podcast--- US: These 8 habits could add up to 24 years to your life, study says. https://www.cnn.com/2023/07/24/health/habits-live-longer-wellness/index.html https://www.verywellmind.com/how-long-does-it-take-to-build-a-habit-5272517 They say if you do something for two months you can form a habit. This works great for building positive behavior like creating stronger passwords and not including security keys in code repos and now a new study validates that certain good habits can also lengthen your life. This study analyzed the lifestyle behaviors of around 720,000 military veterans aged 40 to 99, who were part of the Million Veteran Program. Adding one healthy behavior at age 40 increased a man's life by 4.5 years, two behaviors led to seven more years, and three habits extended life by 8.6 years. Men who adopted multiple lifestyle changes saw significant benefits, adding up to almost 25 years of extra life. Women also experienced substantial increases in life span: one healthy behavior added 3.5 years, two added eight years, three added 12.6 years, and adopting all healthy habits extended life by 22.6 years. Ranked in order of importance: No. 1: Exercise is considered one of the most important behaviors for improving health. Those who engaged in 7.5 metabolic equivalent hours of exercise per week had a 46% lower risk of death compared to those who didn't exercise. No. 2: Avoiding opioid addiction reduced the risk of early death by 38%. This is particularly significant during the ongoing opioid crisis in the US. No. 3: Never using tobacco decreased the risk of death by 29%. Former smoking wasn't counted, but quitting at any point in life has significant health benefits. No. 4: Managing stress was associated with a 22% lower risk of early death. Stress is prevalent in the US and can have severe health consequences. No. 5: Following a plant-based diet increased the chances of a longer life by 21%. It doesn't require being a vegetarian or vegan, but rather adopting a healthy plant-based plan like the Mediterranean diet. No. 6: Avoiding binge drinking, defined as having more than four alcoholic beverages a day, reduced the risk of death by 19%. Binge drinking is on the rise in the US and poses risks to moderate drinkers as well. No. 7: Getting sufficient, good-quality sleep (7 to 9 hours per night without insomnia) lowered the risk of death from any cause by 18%. Poor sleep has been linked to various health issues. No. 8: Positive social relationships contributed to longevity by 5%. However, loneliness and isolation, especially among older adults, are becoming more concerning and widespread. These lifestyle habits, even in small increments, can have a positive impact on overall mortality rates. So what's the upshot for you? The important thing about this study is the sampling size. After reading through medical studies that claim miracle results with a research sampling of 39 people, this one with 720,000 carries some real weight US: The U.S. Is Falling Behind on Encryption Standards – And That’s a Global Problem https://www.esecurityplanet.com/trends/nist-encryption-standards/ A quantum computer capable of breaking public-key encryption is likely years away. Unfortunately, so are products that support post-quantum cryptography. That's the conclusion of an eSecurity Planet article by Henry Newman. With the second round of NIST's post-quantum algorithm evaluations — announced last week — expected to take "several years" and the FIPS product validation process backed up, Newman notes that it will be some time before products based on post-quantum standards become available. "The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market. It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time. I am not sure that NIST is up to the dual challenge of getting the algorithms out and products validated so that vendors can have products that are available before quantum computers can break current technology. There is a race between quantum technology and NIST vetting algorithms, and at the moment the outcome is looking worrisome." So what's the upshot for you? And as encrypted data stolen now can be decrypted later, the potential for harvest now, decrypt later attacks is a quantum computing security problem that's already here. Ke: Kenya Reports Cyber Attacks Causing Government System Outages https://www.semafor.com/article/07/28/2023/kenya-cyber-attacks-claimed-by-sudan-hackers Cyber attackers targeted a digital platform used by Kenya's government to deliver services, the country's technology minister said, highlighting the vulnerabilities of the system. The attack on the e-Citizen platform in recent days caused system outages that left users unable to access a broad range of government services, ranging from passport applications to electricity payments. Some private companies were also affected. It was "an unsuccessful attempt to overload the system through extraordinary requests, with the intention of clogging it," said Eliud Owalo, cabinet secretary for information technology, in a statement on Thursday. He said technical teams had blocked the source of the requests, adding that privacy and the security of data had not been compromised. So what's the upshot for you? Looks like the Nigerian prince that wanted to bequeath you some money may have turned his sights to the east side of his continent. Global: AMD 'Zenbleed' Bug Leaks Data https://www.tomshardware.com/news/zenbleed-bug-allows-data-theft-from-amds-zen-2-processors-patches-released Tavis Ormandy, a researcher with Google Information Security, posted last week about a vulnerability he independently found in AMD's Zen 2 processors. The 'Zenbleed' vulnerability spans the entire Zen 2 product stack, including AMD's EPYC data center processors and the Ryzen 3000/4000/5000 CPUs, allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via javascript on a webpage. AMD responded with key details and published a security advisory with the expected dates for new firmware, many of which don't arrive until the end of the year. So what's the upshot for you? Re. the promised fixes: "Any performance impact will vary depending on workload and system configuration. AMD is not aware of any known exploit of the described vulnerability outside the research environment. Under specific microarchitectural circumstances, a register in "Zen 2" CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information." Yes, expect more on this as we move forward. US: MOVEit Hackers Accessed Health Data of 'At Least' 8 Million Individuals https://techcrunch.com/2023/07/27/us-government-contractor-says-moveit-hackers-accessed-health-data-of-at-least-8-million-individuals/ U.S. government services contracting giant Maximus has confirmed that hackers exploiting a vulnerability in MOVEit Transfer accessed the protected health information of as many as 11 million individuals. Virginia-based Maximus contracts with federal, state, and local governments to manage and administer government-sponsored programs, such as Medicaid, Medicare, healthcare reform, and welfare-to-work. In an 8-K filing on Wednesday, Maximus confirmed that the personal information of a significant number of individuals was accessed by hackers exploiting a zero-day vulnerability in MOVEit Transfer, which the organization uses to "share data with government customers pertaining to individuals who participate in various government programs." While Maximus hasn't yet been able to confirm the exact number of individuals impacted -- something the company expects to take "several more weeks" -- the organization said it believes hackers accessed the personal data, including Social Security numbers and protected health information, of "at least" 8 to 11 million individuals. If the latter, this would make the breach the largest breach of healthcare data this year -- and the most significant data breach reported as a result of the MOVEit mass-hacks. Maximus has not confirmed which specific types of health data were accessed and has not responded to TechCrunch's questions. In its 8-K filing, the company said it began notifying impacted customers and federal and state regulators, adding that it expects the security incident to cost approximately $15 million to investigate and remediate. Clop, the Russia-linked data extortion group responsible for the MOVEit mass-hacks, claims to have stolen 169 gigabytes of data from Maximus, which it has not yet published. The report notes that "more than 500 organizations have so far been impacted by the MOVEit mass-hacks, exposing the personal information of more than 34.5 million people." So what's the upshot for you? Think this doesn't affect you? Then you may be surprised when the breech notice comes through your post box. US/EU: The US and Europe Are Growing Alarmed By China's Rush Into Legacy Chips https://time.com/6299563/us-europe-china-chips/ U.S. and European officials are concerned about China's accelerated push into producing older-generation semiconductors. President Joe Biden implemented controls over China's access to advanced chips, but China is investing billions in factories for legacy chips that haven't been banned. The U.S. is determined to prevent chips from becoming a leverage point for China. Concerns include fears about China's potential influence, the dumping of legacy chips on global markets, and possible national security risks if critical tech components are bought from China. So what's the upshot for you? Win the markets in lower-end chips as a stepping stone to the higher-end chips? (also interestingly, this story was pulled off the website.) Fr: Worldcoin Being Probed by French Privacy Regulator for 'Questionable' Practices https://www.coindesk.com/policy/2023/07/28/worldcoin-being-probed-by-french-privacy-regulator-for-questionable-practises/ Worldcoin (WLD), the eyeball-scanning crypto project launched by OpenAI's Sam Altman, is being investigated by French data protection regulator CNI for "questionable" practices, the regulator told CoinDesk. "The legality of this [data] collection seems questionable, as do the conditions for the preservation of biometric data," a CNIL spokesperson said in a written statement, referring to Worldcoin's practice of scanning retinas to ensure that no single person can claim crypto rewards twice. "CNIL has initiated investigations," supporting the work of Bavarian privacy regulators who have primary responsibility under EU law, the spokesperson added. So what's the upshot for you? Worldcoin went live last Monday and its cheerleaders say it could spread crypto wider than bitcoin (BTC), but it has drawn the ire of privacy watchdogs in the U.K., where the Information Commissioner's Office has warned that people must freely give consent to the processing of their personal data, and be able to withdraw it without detriment. Something to think about. De: Google Street View To Post First New Pictures From Germany in a Decade https://www.bloomberg.com/news/articles/2023-07-25/google-street-view-to-post-first-new-german-pictures-in-a-decade Google Street View's cameras have returned to Germany more than a decade after a privacy backlash in the country pushed it to stop updating images. Alphabet's update will start with new photos of the streets and landmarks of the country's 20 largest cities and expand from there, the company said in a blog post last Tuesday. Google voluntarily suspended Street View photography in Germany in 2011, after an outcry from privacy advocates and opposition from regulators. "We've been back on the road with our vehicles in Germany since June and will be posting the latest images as they become available -- adding footage from other regions across the country," Sven Tresp, a program manager for Street View, wrote. Google is posting information about where its cameras are traveling, he said. The Street View rollout across Europe more than a decade ago triggered probes by data protection watchdogs across the European Union. The investigations included a probe by the Hamburg authority, where Google had its main German base. Some led to fines, including a $1.1 million penalty in Italy. So what's the upshot for you? Smile and say “käse”! CN/US: Android Phones Can Now Tell You If There's an AirTag Following You https://arstechnica.com/gadgets/2023/07/android-phones-can-now-tell-you-if-theres-an-airtag-following-you/ When Google announced that trackers would be able to tie into its 3 billion-device Bluetooth tracking network at its Google I/O 2023 conference, it also said that it would make it easier for people to avoid being tracked by trackers they don't know about, like Apple AirTags. Now Android users will soon get these "Unknown Tracker Alerts." Based on the joint specification developed by Google and Apple, and incorporating feedback from tracker-makers like Tile and Chipolo, the alerts currently work only with AirTags, but Google says it will work with tag manufacturers to expand its coverage. For now, if an AirTag you don't own "is separated from its owner and determined to be traveling with you," a notification will tell you this and that "the owner of the tracker can see its location." Tapping the notification brings up a map tracing back to where it was first seen traveling with you. Google notes that this location data "is always encrypted and never shared with Google." Further into the prompts, you can make the tracker play a sound, "without the owner of the tracker knowing," Google says. If you bring the tracker to the back of your phone (presumably within NFC range), some trackers may provide their serial number and information about their owner, "like the last four digits of their phone number." Google indicates it will also link to information about how to physically disable a tracker. Finally, Google is offering a manual scan feature, if you're suspicious that your Android phone isn't catching a tracker or want to see what's nearby. The alerts are rolling out through a Google Play services update to devices on Android 6.0 and above over the coming weeks. Google is working to finish the joint tracking specification "by the end of this year." So what's the upshot for you? ...and the old boys over at the NSA must be crying into their oatmeal! Global: We Finally Know Why The TSA Is Cracking Down On CLEAR At Airport Security https://viewfromthewing.com/why-finally-know-why-the-tsa-is-cracking-down-on-clear-at-airport-security/ Apparently last July a man slipped through Clear’s screening lines at Reagan National Airport near Washington before a government scan detected ammunition — which is banned in the cabin — in his possession. And he’d also almost managed to board a flight under a false identity. The TSA checkpoint found the ammunition and prevented him from making that particular flight. Since then the TSA has mandated that Clear add ID checks to the facial scanning. There’s been a lot of speculation that the requirement to show ID somehow undermines the usefulness of CLEAR the facial scanning and recognition system found in many airports, part-owned by Delta and United, and currently in a partnership with American Express Maybe not showing ID is an ancillary benefit to the customer, even if it’s how the program is sold. We pretend it’s about identity verification when really it’s about priority in getting through the airport security queues faster and it still does that. So what's the upshot for you? We are glad TSA found the ammunition, and that someone figured out that the man was traveling under an assumed identity, but really, isn't this what Clear was created to prevent? Is it really only effective as a queue-jumping service? Clear say, "No". TSA obviously thinks differently. UK: UK drivers. Look out for motorway vans carrying crane-mounted cameras. https://www.bbc.com/news/uk-england-hampshire-66320176 Hampshire and Isle of Wight Constabulary and Thames Valley Police carried out the operation from 17 to 21 July, targeting commercial vehicles. It took place on the A34 and the A303. The van identified 86 drivers suspected of using a phone during the week-long operation. The first camera is set at a shallow angle and can identify a mobile phone close to the driver's ear or whether a seat belt is being worn. The second has a steeper view to see if a mobile phone is being used for texting. Once the offenses are identified by the AI system, the results are double-checked by people before being passed to the police for review. So what's the upshot for you? The van identified 86 drivers suspected of using a phone, 273 drivers or passengers suspected of not wearing a seat belt, and 132 mechanical offenses related to issues with the vehicles during the week-long operation. Heaven help you if your finger went anywhere near your nose. ---click on the habit to hear the podcast--- Our Quote of the week - Cool and composure are priceless assets through the tight grip of summer heat. That’s it for this week. Stay safe, stay secure, start some new habits, and see you in Se7en!
Leave a Reply. |