Saturday, May 30, 2020


Forward to your Computer Security team. Registration required.
Evolving Tactics, Techniques, and Procedures in the Ransomware Landscape
According to a report from Group-IB, Remote Desktop Protocol (RDP) was the common point of intrusion for ransomware in 2019. Vulnerable Windows RDP ports were abused in 70-80% of all ransomware attacks in 2019 to gain an initial foothold.
The report also highlighted that exploit kits, external remote services, spear-phishing attachments, and valid accounts are other attack techniques used by ransomware operators to gain access to victims’ computers.
More advanced ransomware actors rely on supply-chain compromise, exploiting unpatched vulnerabilities in public-facing applications, and compromising managed service providers (MSPs) to obtain access to valuable targets.




For anyone dealing with risk.
CISA Releases New Cyber Essentials Toolkit
As a follow-up to the November 2019 release of Cyber Essentials, the Cybersecurity and Infrastructure Security Agency (CISA) released the first in a series of six Cyber Essentials Toolkits. This is a starting point for small businesses and government agencies to understand and address cybersecurity risk as they do other risks. CISA’s toolkits will provide greater detail, insight and resources on each of the Cyber Essentials’ six “Essential Elements” of a Culture of Cyber Readiness.
Today’s launch highlights the first “Essential Element: Yourself, The Leader” and will be followed each month by a new toolkit to correspond with each of the six “Essential Elements.” Toolkit 1 focuses on the role of leadership in forging a culture of cyber readiness in their organization with an emphasis on strategy and investment.




On the face of it...
Facial Recognition Challenged by French Administrative Court
In a decision (French only) dated 27 February 2020, the French Administrative Court of Marseille invalidated the deliberation of the Provence-Alpes-Côte d’Azur Regional Council which allowed to set up, on an experimental basis, a facial recognition mechanism in two high schools in order to (i) better control and speed up entry of students into the high schools and (ii) control access to premises of occasional visitors.
This decision is important as this is the first administrative court decision in France about facial recognition. Since the GDPR entered into force, it is also the first French administrative court decision relating to data protection not based on a deliberation issued by the French Data Protection Authority (CNIL), which was already quite uncommon before GDPR’s entry into force.




Would we recognize free speech if we saw it?
Twitter and Reddit File Legal Brief Opposing Trump Admin’s Social Media Registration Requirement
Two of the country’s largest online communities backed a legal challenge to the Trump administration’s rule requiring nearly all U.S. visa applicants to register all of their social media handles and usernames with the federal government, claiming that the requirement violates the First Amendment of the U.S. Constitution.
In an amicus brief submitted Thursday in the U.S. District Court for the District of Columbia, Twitter, Reddit and the Internet Association threw their support behind a lawsuit filed against the U.S. State Department by the Knight First Amendment Institute, the Brennan Center for Justice, and Simpson Thacher & Bartlett LLP on behalf of Doc Society and International Documentary Association, two documentary film organizations.
The rule at the center of the controversy, which went into effect last year compels, more than 14 million annual U.S. visa applicants to disclose all social media handles that they’ve used on any of 20 platforms – including Twitter and Reddit — in the last five years.
According to the platforms, depriving users of anonymity on these sites the government would effectively be chilling their constitutionally protected right to free speech.




Should I argue with Harvard?
Law profs: 'China was largely right' on internet 'speech control'
The Atlantic article from Harvard Law School professor Jack Goldsmith and University of Arizona law professor Andrew Keane Woods comes during a time when U.S. students are more likely to view China favorably, even as Chinese infiltration of America deepens. The piece, titled, "Internet Speech Will Never Go Back to Normal," includes the subtitle, "In the debate over freedom versus control of the global network, China was largely correct, and the U.S. was wrong."
Significant monitoring and speech control are inevitable components of a mature and flourishing internet, and governments must play a large role in these practices to ensure that the internet is compatible with a society’s norms and values," the professors write. [Just like we do with newspapers? Bob]




Perspective.
The Problem with Heroes
For any leader, the ongoing presence of heroes is both a cause for celebration and a reason for deep concern, because it indicates a failure of the wider system, writes Wharton adjunct professor of management Gregory P. Shea in this opinion piece.




Most of my international students are from countries south and east of Europe.
FPF Releases New Report on GDPR Guidance for US Higher Education Institutions
Today, FPF released The General Data Protection Regulation: Analysis and Guidance for US Higher Education Institutions by Senior Counsel Dr. Gabriela Zanfir-Fortuna. The new report contains analysis and guidance to assist United States-based higher education institutions and their edtech service providers in assessing their compliance with the European Union’s General Data Protection Regulation (GDPR).



Friday, May 29, 2020


Will Security now have to wait for the lawyers to review the report? If legal releases actionable (any?) items, does that break confidentiality?
Capital One Must Turn Over Mandiant’s Forensics Report
Jeremy Kirk reports:
Capital One has been ordered by a federal judge to turn over the results of a digital forensics investigation into its 2019 data breach, which has been sought by plaintiffs in a class-action lawsuit.
The report could provide further insight into what went wrong in one of the most significant breaches of a financial institution in history.
Read more on BankInfoSecurity. This is a huge decision, as most entities have claimed that forensic reports are covered by work product doctrine and should not be discoverable. But in this case, the court held that Capital One had not shown that the report was ordered and requested specifically in response to the breach as a legal expense.
[From the article:
Capital One has had a standing arrangement with FireEye's Mandiant forensics unit since 2015, Anderson writes. In early 2019, Capital One paid Mandiant a retainer that it classified as a business rather than legal expense, he notes.
"Capital One has not presented sufficient evidence to show that the incident response service performed by Mandiant would not have been done in substantially similar form even if there was no prospect of litigation," Anderson writes.




Eventually, we will all agree. (And pigs might fly)
Vermont Updates its Data Breach Notification Law
As the COVID-19 pandemic presses on, privacy and security matters continue to be at the forefront for federal and state legislature. We recently reported that Washington D.C. updated its data breach notification law. Now, the Vermont legislature also amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, and the narrowing of permissible circumstances under which substitute notice may be applied. Bill S.110 amending Vermont’s Security Breach Notice Act, V.S.A §§ 2330 & 2335, b23-0215, was signed into law by Governor Phil Scott, and will take effect July 1, 2020. In addition Bill S.110, creates a new duties and prohibitions with respect to student privacy directed towards educational technology services (similar to a law first enacted in California, and later adopted by over 20 states).




To be expected, I guess.
The ACLU sues Clearview AI, calling the tool an 'unprecedented violation' of privacy rights
The American Civil Liberties Union is suing Clearview AI, the maker of a facial-recognition tool used by law enforcement agencies across the country.
The ACLU alleges that Clearview's technology runs afoul of the 2008 Illinois Biometric Information Privacy Act, according to the complaint, filed Thursday in the Circuit Court of Cook County, Illinois. It alleges in a statement that the company is engaging in "unlawful, privacy-destroying surveillance activities."
The ACLU said in the complaint that it is bringing the suit "to put a stop to its unlawful surreptitious capture and storage of millions of Illinoisans' sensitive biometric identifiers." Several other nonprofits, including the Chicago Alliance Against Sexual Exploitation and Sex Workers Outreach Project Chicago, have also signed onto the suit.
Clearview dismissed the ACLU complaint as "absurd" when asked for comment. According to its website, Clearview's service "has been independently tested for accuracy and evaluated for legal compliance by nationally recognized authorities."
If a person posts an image to a public Instagram page, for example, Clearview's technology is capable of grabbing it, and even if that person later changes their page to private or deletes the photo altogether, the image will still show up in Clearview's database. The tool can also scrape photos of a person even if they were posted by someone else without that person's knowledge.
Twitter, Google, Facebook and other tech companies have sent Clearview cease and desist letters, saying the tool violates their terms of service. Clearview has said it would address the tech companies' concerns, but also pushed back, saying there is a First Amendment right to public information.




Hey! It works in such bastions of freedom as Russia and China and North Korea!
Trump signs order that may impact how social media manage content
Washington Post – “President Trump on Thursday signed an executive order that could open the door for the U.S. government to assume oversight of political speech on the Internet, a broadside against Silicon Valley that a wide array of critics derided as a threat to free speech. The new directive seeks to change a federal law that has spared tech companies from being sued or held liable for most posts, photos and videos shared by users on their sites. Tech giants herald these protections, known as Section 230, as the bedrock of the Internet. But Trump repeatedly has argued they allow Facebook, Google and Twitter to censor conservatives with impunity — charges these companies deny… The order signed Thursday encourages the Federal Communications Commission to rethink the scope of Section 230 and when its liability protections apply. The order also seeks to channel complaints about political bias to the Federal Trade Commission, an agency that the White House has asked to probe whether tech companies’ content-moderation policies are in keeping with their pledges of neutrality. The order additionally created a council in cooperation with state attorneys general to probe allegations of censorship based on political views. And it tasked federal agencies with reviewing their spending on social media advertising. While Trump has threatened to penalize tech companies for years, his signing of the order Thursday came in response to a decision by Twitter earlier in the week to mark two of his erroneous tweets with fact-checking labels. The small move set off a firestorm of tweets by the president threatening social media companies with regulations and other punishments…”




Someone in the White House should have heard of the Streisand Effect…
Trump campaign attempts to remove satirical cartoon from online retailer
… “I doubt anyone had even seen it yet on the site,” he said. “This reveals that the Trump campaign has a system in place, trawling for material they find objectionable. If it happened to me so quickly, it likely has happened to others. How much other content has been removed this way on Redbubble and other sites?”




The world, she has changed.
States Are Reopening, But Many Americans Say They Aren’t Rushing Back To Normal Life
In a Morning Consult poll conducted May 12-15, only 23 percent of Americans said they were comfortable going out to eat, going on vacation or going to a shopping mall — and those were the activities that respondents were most likely to be comfortable with. Only 16 percent said they were comfortable going to the movies, 14 percent going to an amusement park and 13 percent going to the gym. And another Morning Consult poll, from May 19-21, found that sports fans have come around to holding games in empty stadiums if necessary, with 41 percent supporting a crowdless return as soon as possible and 38 percent saying leagues should wait until it’s safe for fans to attend before restarting. That’s a stark change from April 3-5, when 70 percent of fans said sports leagues should wait until it’s safe for spectators and only 16 percent favored a quicker return.




Also useful for history buffs.
Great Sets of Primary Source Documents for U.S. History Lessons
The Digital Public Library of America's Primary Source Sets organized according to themes, eras, and events in United States history. The DPLA primary source sets include documents, drawings, maps, photographs, and film clips. Each set is accompanied by a teaching guide. All of the sets can be shared directly to Google Classroom. And each artifact that students view in the sets is accompanied by some questions or points to ponder while reviewing that artifact.
The DPLA's primary source sets provide teachers and students with a convenient way to find primary source documents.



Thursday, May 28, 2020


Is this an escalation or is Germany merely bringing this (further) out in the open?
Could the German International Arrest Warrant Against a GRU Hacker Prompt European Sanctions?
For the first time in response to a state-sponsored cyber operation, Germany’s federal prosecutor issued an international arrest warrant in early May for a Russian national, Dmitriy Sergeyevich Badin. Badin is supposedly employed by the Russian Main Directorate of the General Staff of the Armed Forces (GRU) of the Russian Federation. The international arrest warrant was issued after Badin was indicted for compromising the IT-infrastructure of the German parliament in 2015. On May 13, Chancellor Merkel went on the record saying that there is “hard evidence that points to Russia.
The chancellor argued to the German parliament that the cyber operation for which Badin was indicted is part of a broader Russian hybrid warfare strategy. She then said that although she will continue to work together with Russia, “the trustful relationship is disturbed.” When parliamentarians pressed her on the consequences Russia would face, Merkel answered vaguely, “of course we always reserve measures, also against Russia.”




Alas.
C-suite execs often pressure IT teams to make security exceptions for them
The C-suite is the most likely group within an organization to ask for relaxed mobile security protocols (74%) – despite also being highly targeted by malicious cyberattacks, according to MobileIron.




More from the “We gotta do something!” school of thought.
Thermal Imaging as Security Theater
Seems like thermal imaging is the security theater technology of today.
These features are so tempting that thermal cameras are being installed at an increasing pace. They're used in airports and other public transportation centers to screen travelers, increasingly used by companies to screen employees and by businesses to screen customers, and even used in health care facilities to screen patients. Despite their prevalence, thermal cameras have many fatal limitations when used to screen for the coronavirus.
  • They are not intended for distance from the people being inspected.
  • They are "an imprecise method for scanning crowds now put into a context where precision is critical.
  • They will create false positives, leaving people stigmatized, harassed, unfairly quarantined, and denied rightful opportunities to work, travel, shop, or seek medical help.
  • They will create false negatives, which, perhaps most significantly for public health purposes, "could miss many of the up to one-quarter or more people infected with the virus who do not exhibit symptoms," as the New York Times recently put it. Thus they will abjectly fail at the core task of slowing or preventing the further spread of the virus.




Another “can’t hurt” tool.
Google launches Scam Spotter program to help internet users identify and prevent fraud
In an effort to educate internet users on identifying and preventing scams, Google has just launched Scam Spotter, a new program that comes with its own website, at ScamSpotter.org.
Its teachings revolve around three simple rules to consider when dealing a suspicious email, phone call or message:
  • Slow it down: Are they telling you it’s urgent? Take your time and ask questions to avoid being rushed into a bad situation.
  • Spot check: Are they claiming to be from a specific institution? Do your own research to double check the details you’re getting.
  • Stop! Don’t send: Are they asking you to go to the store and get gift cards? If you think a payment feels fishy, it probably is.




Complexifying the obfuscation that is Privacy law.
Washington D.C. Significantly Overhauls its Data Breach Notification Law
In the midst of COVID-19 challenges, privacy and security matters continue to be at the forefront for federal and state legislature. In late March, the Washington D.C. (“D.C.”) legislature amended its data breach notification law, with significant overhauls including expansion of its definition of personal information, updates to notification requirements and new credit monitoring obligations. The Security Breach Protection Amendment Act of 2019, b23-0215, passed the 12-member D.C. Council unanimously and was signed by D.C. Mayor Muriel Bowser on March 26. The new law became effective on May 19, 2020.




cause lawyers have lots of interesting data.
Nearly One Fifth of Law Firms Show Signs of Compromise
Cybersecurity experts are calling for the legal sector to be defined as critical to securing national

Web Result with Site Links

infrastructure, after revealing that 100% of law firms were targeted by attackers in the first quarter of 2020.

Search Results

BlueVoyant appraised thousands of law firms worldwide between January and March 2020, to compile its latest report, Sector 17 - The State of Cybersecurity in the Legal Sector.
Of those targeted, some 15% are likely to have been compromised while nearly half showed signs of suspicious activity, including malicious proxy use, it said.




(Re-)Opening a huge can of worms?
Trump’s executive order targets political bias at Twitter and Facebook: draft
Reuters: “U.S. President Donald Trump is expected to order a review of a law that has long protected Twitter, Facebook and Alphabet’s Google from being responsible for the material posted by their users, according to a draft executive order and a source familiar with the situation. News of the order comes after Trump threatened to shut down websites he accused of stifling conservative voices following a dispute with Twitter after the company decided to tag Trump’s tweets about unsubstantiated claims [note – this link references news on this incident posted by beSpacific] of fraud in mail-in voting with a warning prompting readers to fact-check the posts. The order, a draft copy of which was seen by Reuters, could change before it is finalized. On Wednesday, officials said Trump will sign an executive order on social media companies on Thursday.
The executive order would require the Federal Communications Commission (FCC) to propose and clarify regulations under Section 230 of the Communications Decency Act, a federal law largely exempting online platforms from legal liability for the material their users post. Such changes could expose tech companies to more lawsuits. The order asks the FCC to examine whether actions related to the editing of content by social media companies should potentially lead to the platform forfeiting its protections under section 230… The draft order also states that the White House Office of Digital Strategy will re-establish a tool to help citizens report cases of online censorship. Called the White House Tech Bias Reporting Tool, it will collect complaints of online censorship and submit them to the Department of Justice and the Federal Trade Commission (FTC)…”


(Related)
Appeals court rules in favor of Google, Apple, Facebook and Twitter in anti-conservative bias suit
TechCrunch: “The same day Donald Trump took to Twitter to threaten to regulate or shut down social media sites, the U.S. appeals court in Washington, D.C. dismissed a lawsuit accusing top tech companies of silencing conservative voices. Filed in 2018 by nonprofit Freedom Watch and right-wing gadfly Laura Loomer, the suit accused Apple, Facebook, Twitter and Google of stifling First Amendment rights. The suit alleged that four of tech’s biggest names “have engaged in a conspiracy to intentionally and willfully suppress politically conservative content.” It specifically cited Loomer’s ban from Twitter and Facebook, following a tweet about Congresswoman Ilhan Omar. Also noted is her inability to grow an audience base and revenue on Google’s YouTube, suggesting that after Trump’s election “growth on these platforms has come to a complete halt, and its audience base and revenue generated has either plateaued or diminished.” Apple’s alleged role is less clear. In the ruling, District Judge Trevor McFadden notes that Freedom Watch and Loomer failed to back up a claim that the companies were “state actors,” involved with the regulation of free speech.
The Plaintiffs do not show how the Platforms’ alleged conduct may fairly be treated as actions taken by the government itself,” the judge writes. “Facebook and Twitter, for example, are private businesses that do not become ‘state actors’ based solely on the provision of their social media networks to the public.” In other words, the companies cannot violate the first amendment, because banning users doesn’t constitute government abridgment of free speech. Per the decision, “Freedom Watch fails to point to additional facts indicating that these Platforms are engaged in state action and thus fails to state a viable First Amendment claim.”…




Will you be able to explain why the AI did what it did? (See the next article)
Google’s federated analytics method could analyze end user data without invading privacy
In a blog post today, Google laid out the concept of federated analytics, a practice of applying data science methods to the analysis of raw data that’s stored locally on edge devices. As the tech giant explains, it works by running local computations over a device’s data and making only the aggregated results — not the data from the particular device — available to authorized engineers.
While federated analytics is closely related to federated learning, an AI technique that trains an algorithm across multiple devices holding local samples, it only supports basic data science needs. It’s “federated learning lite”


(Related) Thinking about how to explain what your AI decided?
ICO finalises guidance on explaining decisions made with AI
Late last year, we reported that the Information Commissioner’s Office (ICO) had published draft guidance for assisting organisations with explaining decisions made about individuals using with AI. Organisations that process personal data using AI systems are required under the GDPR to provide an explanation of the logic involved, as well as the significance and the envisaged consequences of such processing in the form of a transparency notice to the data subjects.
On 20 May 2020, followings its open consultation, the ICO finalised the guidance (available here ). This is the first guidance issued by the ICO that focuses on the governance, accountability and management of several different risks arising from the use of AI systems when making decisions about individuals.
As with the draft guidance, the final guidance is split into three parts. We have outlined the key takeaways for each part below.




Perspective. Hastened by Covid?
The Commercial Real-Estate Market’s Impending Crash
Shopping malls are in trouble, as are the commercial mortgage-backed securities built around them. Can another 2008 be averted?




Wally has a great idea! (Covid financial advice)