The IT Privacy and Security Weekly Low Earth Orbit update for the week ending August 29th., 20238/29/2023 This week we have a terrific collection of stories for you along with some friendly reminders. As we navigate the heavens we touch on 2FA, Social Media and Rust. We get some interesting insight on the U.S. College Board that all high school students would mark as a “fail”. We discover the perils of a familiar piece of conferencing software and a new initiative from the Taliban that has more than one Hijab tied in knots. From there we learn about a new bot dispensing information that the credit bureaus are collecting on you, and an etiquette update to US Spies. We finish, where else, but in Low Earth Orbit with a story that has quietly been getting louder. This week’s update will make us all better Internet citizens and keep us all just a little bit safer. So let’s kick it! -- click the image to hear the podcast -- Global: Two-Factor Authentication Is Worth the Effort How Two-Factor Authentication Keeps Your Accounts Safe Your level of protection goes up considerably just by using secure passwords and one-time authentication codes. Thankfully, setting all this up is easier than it sounds. Apps on your phone or tablet can help. Google, Microsoft or Authy Authenticator(s), when paired with a service that supports authenticator apps, provide a six-digit number that changes every few seconds and can keep people out of your data even if they have your username and password. Other companies ask users to enter an SMS code as the second authentication factor, in addition to a password, although SMS codes are less secure than authenticator apps. Either approach is better than none—unless a hacker is in physical possession of your phone, they are not getting access. So what's the upshot for you? Just another reminder to use 2fa where ever you can Global: More Developers Are Using the Rust Programming Language, Survey Finds https://blog.rust-lang.org/2023/08/07/Rust-Survey-2023-Results.html Backfill: What is Rust? It’s a programming language that is picking up in popularity because of its safety, performance and concurrency. Rust does not stand for any specific acronym; it is a name chosen for the programming language. It was named after the rust fungus that can corrode and weaken traditional systems, symbolizing the language's focus on preventing memory-related errors and vulnerabilities. The Rust Project's 6th annual State of Rust Survey reveals a surge in adoption, with heightened engagement and expanding integration into workplaces. This year, daily users increased, and Rust's positive impact on team objectives grew. Moreover, apprehensions about Rust's future development diminished. The survey underscores Rust's upward trajectory in usage, its positive impact on teams, and the increasing perception of its benefits among users. Challenges associated with Rust's adoption were also noted, particularly concerning the learning curve. However, a significant majority of productive users found Rust's adoption to be worthwhile. The survey reveals decreasing concerns about the language's future, with fewer respondents expressing worries about various aspects of its development. So what's the upshot for you? We did want to point out that although the population of rust users is growing, that is the aim of the Rust project. Global: Chat GPT coming to an office near you soon? OpenAI Launches a ChatGPT Plan For Enterprise Customers https://openai.com/blog/introducing-chatgpt-enterprise OpenAI has unveiled ChatGPT Enterprise, an AI-powered chatbot catering to business needs. This new edition mirrors the capabilities of ChatGPT, encompassing tasks like email composition, essay drafting, and code debugging. Incorporating tools for efficient administration, ChatGPT Enterprise features an admin console for managing employee usage, integrating single sign-on, domain verification, and a usage statistics dashboard. Shareable conversation templates enable internal workflow optimization. A key feature, Advanced Data Analysis, previously available in ChatGPT Plus, is now accessible to ChatGPT Enterprise users. This feature facilitates data analysis, chart creation, math problem solving, and more, even from uploaded files. ChatGPT Enterprise is GPT-4 powered, granting users priority access to this flagship model for enhanced performance and a broader context window. OpenAI emphasizes privacy and encryption, affirming that business and usage data remain unutilized for model training. Future plans for ChatGPT Enterprise include a ChatGPT Business version for smaller teams, robust data analysis and web browsing capabilities, and specialized tools for varied business functions. So what's the upshot for you? The only thing left unsaid about this new offering is the price with rumors pushing it to about US $100,000/year. US: Social Media and Tracking Social media is becoming a popular way for health care providers and entrepreneurs to connect with the public—and often to sell them treatments or advice. These Instagram or TikTok accounts may offer tips from someone in the medical industry, which can appeal to those facing rising health care costs and difficulties accessing care. But an internet doctor’s background or popularity does not ensure that they observe strong privacy guidelines or secure their transactions. Instagram is flooded with offers promising everything from better sleep to improved sexual health. It’s nice to have options, but that help and any information you receive from those accounts or send to them isn’t covered under HIPAA. Any time you pay out of your own pocket for health-related items or services, or on a direct-to-consumer health app, there is no recourse if someone steals your personal information or shares it. Along with social media and direct-to-consumer health options comes large-scale data tracking. Outside of official medical practices, you should view surveillance as an expectation, rather than an exception. So what's the upshot for you? When you sign up for any service, whether through a new doctor’s patient portal or an online supplement shop, ask how your data is stored and where it goes. It may be a hassle but read the privacy policies and settings, even briefly, to find out what options you have to restrict the sale or reuse of your data. Find out if the service or platform offers two-factor authentication and set that up if it’s available. In the US, know that it’s rare for anyone to need your social security number, no matter what a customer service agent says: birth date and address are usually enough. US: College Board Shares Student SAT Scores, GPA with Facebook and TikTok https://gizmodo.com/sat-college-board-tells-facebook-tiktok-your-scores-gpa-1850768077 College Board sends student SAT scores and GPA to Facebook and TikTok, according to tests by tech news outlet Gizmodo. Even when searching for colleges, personal academic details are shared with social media companies. Gizmodo observed the College Board's website sharing data with Facebook and TikTok when a user fills in information about their GPA and SAT scores. When this reporter used the College Board's search filtering tools to find colleges that might accept a student with a C+ grade-point average and a SAT score of 420 out of 1600, the site let the social media companies know. Whether a student is acing their tests or struggling, Facebook and TikTok get the details. The College Board shares this data via “pixels,” invisible tracking technology used to facilitate targeted advertising on platforms such as Facebook and TikTok. The data is shared along with unique user IDs to identify the students, along with other information about how you use the College Board's site. Organizations use pixels and other tools to share data so they can send targeted ads to people who use their apps and websites on other platforms, such as Google, Facebook, and TikTok. So what's the upshot for you? If you want to attain higher education in the United States, the College Board is hard to avoid. The organization writes and administers the SAT test and Advance Placement (AP) exams, which students take to earn college credit and bolster applications. The College Board also runs standardized tests taken by children as young as kindergartners, and essentially writes the curriculum in some school districts. US: US Department of HomeLand Security Has Spent Millions On an AI Surveillance Tool That Scans For 'Sentiment and Emotion' https://www.404media.co/ai-surveillance-tool-dhs-cbp-sentiment-emotion-fivecast/ Customs and Border Protection (CBP), part of the Department of Homeland Security, has bought millions of dollars worth of software from a company that uses artificial intelligence to detect “sentiment and emotion” in online posts, according to a cache of documents obtained by 404 Media. CBP told 404 Media it is using technology to analyze open source information related to inbound and outbound travelers who the agency believes may threaten public safety, national security, or lawful trade and travel. In this case, the specific company called Fivecast also offers "AI-enabled" object recognition in images and video, and detection of "risk terms and phrases" across multiple languages, according to one of the documents. Marketing materials promote the software's ability to provide targeted data collection from big social platforms like Facebook and Reddit, but also specifically names smaller communities like 4chan, 8kun, and Gab. To demonstrate its functionality, Fivecast promotional materials explain how the software was able to track social media posts and related Persons-of-Interest starting with just "basic bio details" from a New York Times Magazine article about members of the far-right paramilitary Boogaloo movement. 404 Media also obtained leaked audio of a Fivecast employee explaining how the tool could be used against trafficking networks or propaganda operations. The news signals CBP's continued use of artificial intelligence in its monitoring of travelers and targets, which can include U.S. citizens. This latest news shows that CBP has deployed multiple AI-powered systems, and provides insight into what exactly these tools claim to be capable of while raising questions about their accuracy and utility. So what's the upshot for you? CBP should not be secretly buying and deploying tools that rely on junk science to scrutinize people's social media posts, claim to analyze their emotions, and identify purported 'risks,' said Patrick Toomey, deputy director of the ACLU's National Security Project. "The public knows far too little about CBP's Counter Network Division, but what we do know paints a disturbing picture of an agency with few rules and access to an ocean of sensitive personal data about Americans. The potential for abuse is immense." AF: Taliban Says Huawei to Install Cameras to Locate Militants https://www.bloomberg.com/news/articles/2023-08-25/taliban-says-huawei-to-install-cameras-to-locate-militants Afghanistan's Taliban-led government is working with Huawei to install a wide-ranging surveillance system across the country in an effort to identify and target insurgents or terrorism activities, Bloomberg News reported Friday, citing a person familiar with the discussions. Representatives of the Shenzhen-headquartered tech company met with Interior Ministry officials on Aug. 14, the person said, and a verbal agreement was reached regarding the contract. The Interior Ministry initially posted images and details of the meeting on X, the social media platform formerly known as Twitter. In one post, spokesman Mufti Abdul Mateen Qani said the advanced camera system was being considered "in every province of Afghanistan." The posts, which were later deleted, included comments from Abdullah Mukhtar, the deputy minister of the ministry. "We are willing to accept projects that are better in terms of quality and price," he said. So what's the upshot for you? Huawei said in an emailed statement, "Reports on this meeting are factually incorrect. No plans or agreements were discussed." .. just before the all female Huawei Sales team visiting Afghanistan were re-wrapped in Hijabs and locked into a room overnight (creative license) RU: Tornado Cash founders charged with laundering more than $1 billion, including millions for North Korea https://www.cnbc.com/2023/08/23/tornado-cash-founders-charged-with-laundering-more-than-1-billion-including-millions-for-north-korea.html Two founders of Tornado Cash, the widely known Russian cryptocurrency mixer, have been charged with laundering more than $1 billion in criminal proceeds. In a newly unsealed indictment, Roman Storm and Roman Semenov have both been accused of sanctions violations and laundering money through Tornado Cash, including hundreds of millions of dollars for the Lazarus Group, a sanctioned North Korean state-backed hacking group. Charges in the indictment include conspiring to commit money laundering, conspiracy to commit sanctions violations and conspiracy to operate an unlicensed money transmitting business. Storm was arrested Wednesday in Washington state, according to a statement from the Justice Department, but Semenov, a Russian national, remains at large. The third co-founder, Alexey Pertsev, who is not mentioned in this action, faces trial in Amsterdam over his involvement with Tornado Cash. "Roman Storm and Roman Semenov allegedly operated Tornado Cash and knowingly facilitated this money laundering," said U.S. Attorney Damian Williams, adding, "While publicly claiming to offer a technically sophisticated privacy service, Storm and Semenov in fact knew that they were helping hackers and fraudsters conceal the fruits of their crimes." So what's the upshot for you? Money laundering in the name of privacy? Really? Global: Hackers Can Silently Grab Your IP Through Skype https://www.404media.co/hackers-find-your-skype-ip-address-microsoft-wont-fix/ Hackers are able to grab a target's IP address, potentially revealing their general physical location, by simply sending a link over the Skype mobile app. The target does not need to click the link or otherwise interact with the hacker beyond opening the message, according to a security researcher who demonstrated the issue and successfully discovered my IP address by using it. Yossi, the independent security researcher who uncovered the vulnerability, reported the issue to Microsoft earlier this month, according to Yossi and a cache of emails and bug reports he shared with 404 Media. In those emails Microsoft said the issue does not require immediate servicing, and gave no indication that it plans to fix the security hole. Only after 404 Media contacted Microsoft for comment did the company say it would patch the issue in an upcoming update. So what's the upshot for you? Wait... People still use Skype? US: The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15 https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/ Most Americans have very little choice but to provide their personal information to credit bureaus. Hackers have found a way into that data supply chain, and are advertising access in group chats used by violent criminals who rob, assault, and shoot targets. It took only a few seconds to uncover the target’s entire life. On the messaging app Telegram, I entered a tiny amount of information about my target into the dark blue text box—their name and the state I believed they lived in—and pressed enter. A short while later, the bot spat out a file containing every address that person had ever lived at in the U.S., all the way back to their college dorm more than a decade earlier. The file included the names and birth years of their relatives. It listed the target’s mobile phone numbers and provider, as well as personal email addresses. Finally, the file contained information from their drivers’ license, including its unique identification number. All of that data cost $15 in Bitcoin. The bot sometimes offers the Social Security number too for $20. This is the result of a secret weapon criminals are selling access to online that appears to tap into an especially powerful set of data: the target’s credit header. This is personal information that the credit bureaus Experian, Equifax, and TransUnion have on most adults in America via their credit cards. Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement. A 404 Media investigation has found that criminals have managed to tap into that data supply chain, in some cases by stealing former law enforcement officer’s identities, and are selling unfettered access to their criminal cohorts online. The bureaus make some of the data provided by consumers—known as credit header information—available for sale to other companies. The FTC defines credit header information as the portion of a consumer’s credit report that typically contains the person’s name, birth date, current and prior addresses, Social Security number, and telephone number. So what's the upshot for you? So yes, the criminals seem to have access to this through the stolen credentials of someone on a police force. US: NSA Orders Employees To Spy on the World 'With Dignity and Respect' https://theintercept.com/2023/08/25/nsa-spy-dignity-respect/ The National Security Agency (NSA), renowned for its clandestine role in U.S. electronic and cyber espionage, has unveiled an internal policy directive aimed at treating foreign intelligence targets "with dignity and respect." This directive, released recently, pertains to the NSA's signals intelligence (SIGINT) division, responsible for global covert surveillance and data collection. The directive emphasizes the importance of treating all individuals with consideration, regardless of nationality or location, as articulated by NSA Director Gen. Paul Nakasone. The policy's release during the summer, previously unreported, has stirred discussions among civil liberties experts. Some view it as a PR-oriented effort to appease European partners and assuage American critics amidst ongoing debates in Congress about renewing the NSA's expansive surveillance authorities. Critics, however, find irony in an intelligence agency focused on electronic eavesdropping promising respectful conduct. So what's the upshot for you? Evan Greer, director of digital rights advocacy group Fight for the Future, likened the situation to the CIA vowing to administer waterboarding "with dignity and respect." Critics assert that mass surveillance inherently clashes with fundamental human rights and democratic principles. UK: Met police on high alert after supplier IT security breach https://www.theguardian.com/uk-news/2023/aug/26/met-police-on-high-alert-after-it-system-holding-officers-details-hacked The London Metropolitan police have been placed on heightened alert due to a security breach impacting the IT system of one of their suppliers. The breach has raised concerns about potential data leakage, including names, ranks, photos, vetting levels, and pay numbers of officers and staff. The supplier, however, did not possess personal details such as addresses, phone numbers, or financial information. The exact extent of the breach remains unclear, with both the timing and the number of affected personnel unknown. The incident has sparked strong reactions, with Rick Prior of the Metropolitan Police Federation expressing significant concern over the potential exposure of sensitive information. The breach has prompted collaboration with the company involved, as well as reporting to the National Crime Agency and the Information Commissioner’s Office. This breach comes on the heels of other recent security incidents involving police forces, highlighting the importance of safeguarding personal data and reinforcing the need for stringent security measures within law enforcement agencies. So what's the upshot for you? Despite best efforts, the most difficult security to maintain is in partner firms. LEO: Space 2023: The Final Fintech Cybersecurity Frontier? https://www.forbes.com/sites/daveywinder/2023/08/28/space-2023-the-final-fintech-cybersecurity-frontier/?sh=75a44e656801 The recently introduced bipartisan Space Infrastructure Act proposes classifying space systems and services as critical national infrastructure in the U.S., mirroring the existing status in the U.K. The bill's consideration has drawn attention to the significant role space technology plays in supporting financial services cybersecurity. Amid this recognition, experts emphasize the multifaceted challenges posed by legacy technology, geopolitical dynamics, cyber threats, and the need for adequate funding. Chris Kubecka, CEO of HypaSec, underscores the expansive influence of space technology on essential operations, mentioning aspects like space IoT, microsatellites, and emerging technologies. He notes cybersecurity risks tied to these advancements, pointing to the financial sector's need to address these complexities. Meanwhile, Bogdan Gogulan, CEO of NewSpace Capital, highlights satellite technology's importance in secure data transmission and encryption for the financial sector. Gogulan raises concerns about insufficient funding hampering the development of innovative cybersecurity solutions, particularly in areas like quantum cryptography. Although space technology presents opportunities, Gogulan cautions that challenges like latency, space debris, and security concerns associated with transmitting data to and from space must be addressed. Despite the potential benefits of space-based data centers, including enhanced physical security, Gogulan acknowledges current limitations that outweigh advantages. As the Space Infrastructure Act's implications are considered, experts emphasize the need for robust collaboration, policy changes, increased funding, and innovation to ensure space technology's continued growth and its vital role in bolstering cybersecurity for financial services. So what's the upshot for you? We've been covering some of the developments in this realm since the advent of GaaS (Ground station as a service). Expect to see more of these stories dropping from the night skies. -- click the image to hear the podcast -- And our Quote of the Week: “The longer you hang in there, the greater the chance that something will happen in your favor. No matter how hard it seems, the longer you persist, the more likely your success.” – Jack Canfield That’s it for this week. Stay safe, stay secure, hang in there, and see you in se7en!
Jenny
8/30/2023 08:51:55 am
Where did this website come from? It's wonderful! I wish I had found this years ago!
Reply
Carla
8/30/2023 08:53:33 am
We use this for our IT classes. It is a wonderful source of relevant, recent IT related stories
Reply
Leave a Reply. |