Pete Recommends – Weekly highlights on cyber security issues, December 5, 2020

Subject: 2021 Healthcare Cybersecurity Priorities: Experts Weigh In
Source: Threatpost
https://threatpost.com/2021-healthcare-cybersecurity-priorities/161596/

Hackers are putting a bullseye on healthcare. Experts explore why hospitals are being singled out and what any company can do to better protect themselves. Healthcare cybersecurity is in triage mode. As systems are stretched to the limits by COVID-19 and technology becomes an essential part of everyday patient interactions, hospital and healthcare IT departments have been left to figure out how to make it all work together, safely and securely. Most notably, the connectivity of everything from thermometers to defibrillators is exponentially increasing the attack surface, presenting vulnerabilities IT professionals might not even know are on their networks.

[Editor’s Note: This content is part of an exclusive FREE Threatpost Insider eBook that examines COVID-19’s current and lasting impact on cybersecurity. Get the whole story and DOWNLOAD the eBook]

The result has been a newfound attention from ransomware and other malicious actors circling and waiting for the right time to strike.

filed https://threatpost.com/category/iot/

category RSS https://threatpost.com/category/iot/feed/

site RSS https://threatpost.com/feed/


Subject: How a Grad Student Found Spyware That Could Control Anybody’s iPhone from Anywhere in the World
Source: Vanity Fair
https://www.vanityfair.com/news/2016/11/how-bill-marczak-spyware-can-control-the-iphone

Last summer, Bill Marczak stumbled across a program that could spy on your iPhone’s contact list and messages—and even record your calls. Illuminating shadowy firms that sell spyware to corrupt governments across the globe, Marczak’s story reveals the new arena of cyber-warfare.

A trim Ph.D. candidate with dense brown hair and a disciplined beard, Marczak wasn’t just another excitable, fast-talking Berkeley grad student. He was a pioneering analyst in a new and unusual theater of cyber-warfare: the struggle between Middle Eastern freedom activists and authoritarian governments in countries such as Bahrain and Egypt. He was also a senior fellow at Citizens Lab, the University of Toronto “interdisciplinary laboratory” that had almost single-handedly discovered and alerted the world to how these governments were monitoring dissidents with spyware quietly marketed by a group of shadowy European and Israeli companies that have been labeled the first “cyber-arms dealers.”


Subject: Artificial Intelligence in Health Care: Benefits and Challenges of Technologies to Augment Patient Care
Source: U.S. GAO
https://www.gao.gov/products/GAO-21-7SP

Artificial Intelligence tools show promise for improving health care. They can help predict health trajectories, recommend treatments, and automate administrative tasks. Challenges associated with these tools include: Transparency: If a medical provider doesn’t know how a tool works, it could reduce trust in the tool. Bias: Limitations and bias in data can reduce the safety and effectiveness of AI tools.

Data: Obtaining the high-quality data needed to create effective AI tools can be difficult. We offer policy options—such as improving data access, establishing best practices, and more—to address these and other challenges we found. AI generates information for health care providers to help them better care for patients and be more efficient.

Additional Materials:


Subject: Building real cyber resiliency in government
Source: GCN
https://gcn.com/articles/2020/11/30/cyber-resilience.aspx

Across the country, government teams are pushing through roadblocks and finding new ways to get the job done while working remotely. The challenge is that as “how” and “where” work happens evolves, cyber threats likewise adapt. Adversaries are exploiting vulnerabilities and finding new ways to attack government networks and data. These attacks include an alarming rise in ransomware, phishing, smishing and vishing, with agencies experiencing upwards of 6.5 million attacks a day, up from 150,000 daily attacks before the pandemic. I recently moderated an ACT-IAC panel of experts from the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Education and the Federal Risk and Authorization Management Program to discuss how organizations can take a threat-based approach to cybersecurity, paving the way for expanded use of cloud services and resiliency for the future.  Here are some takeaways from that discussion:

The state of the threat landscape

“As we look at our threatscape, it’s important for us to understand that [attacks are] evolving at a rapid pace … and we have to evolve and adapt faster than they do,” Education Department Chief Information Security Officer Steven Hernandez said. “We have a greater [resilience] in a few areas: technology, our people — investing in them to ensure that they’re the best that they can be — and then building the coalitions so that we can outflank those threat vectors.”

Often, organizations think of cybersecurity as preventing/protecting networks against cyber threats – but that is just one element of the cybersecurity framework, as outlined by the National Institute of Standards and Technology.

NIST framework includes five functions, which match the pillars for cyber resiliency: identify, protect, prevent, respond and recover.


Subject: US Supreme Court to hear arguments on hacking law
Source: Reporters Committee for Freedom of the Press
https://www.rcfp.org/tech-press-freedom-nov-29-2020/

RCFP has argued that the Computer Fraud and Abuse Act significantly chills First Amendment activity. On December 2, 2020, the U.S. Supreme Court [heard] oral arguments in Van Buren v. United States. The Court’s decision in this case will resolve a circuit court split and bring clarity to a federal hacking law that has long vexed data journalists, security researchers and the technology industry.

The FirstFifthSeventhEighth and Eleventh Circuits have held that improperly using a computer by acting contrary to written instructions, such as terms of service, constitutes “exceeding authorized access” and is punishable under the Computer Fraud and Abuse Act. The SecondFourthSixth and Ninth Circuits, on the other hand, have held that only bypassing a technical access restriction falls under the scope of the Act.

The Reporters Committee filed a friend-of-the-court brief in this case, arguing that the statute, as written, is overly broad and implicates the First Amendment such that it is subject to application of the vagueness doctrine. Specifically, the law significantly chills First Amendment activity, including both traditional news gathering and new data-journalism techniques.


Subject: How Hackers Could Trick Unwitting Scientists Into Producing Dangerous Genes
Source: Gizmodo
https://gizmodo.com/how-hackers-could-trick-unwitting-scientists-into-produ-1845774074

In a new letter to the editor pulled from the prestigious scientific journal Nature, a team of Israeli researchers pose a frankly wild-sounding question: could a computer hack result in a scientist being swindled into creating a piece of genetic code that’s harmful—or potentially toxic—rather than helpful?The answer seems to be yes, albeit with some pretty weighty caveats. The “end-to-end cyberbiological attack” described above requires some lackluster cybersecurity chops from both sides of the genetic research supply chain: both the academics who might order genetic materials online, and the labs that might supply those materials back. While this sort of attack hasn’t been seen in the wild yet, the research team behind the letter pointed out that it’s not outside the realm of possibility—especially as more and more genetic research moves into the digital realm.

At the heart of this hypothetical hack is the software that biologists use to “print” strands of DNA from scratch and then assemble them together, a process known as “DNA synthesis.” In recent years, we’ve seen this synthesizing software underpin tons of groundbreaking biomedical research. In the mad dash to create a treatment for Covid-19, for instance, a handful of major pharma companies turned to using man-made strands of DNA as one of the components of their experimental vaccines.


Subject: How to wipe your old Windows PC clean before getting rid of it
Source: ZDNet via beSpacific
https://www.bespacific.com/how-to-wipe-your-old-windows-pc-clean-before-getting-rid-of-it/

ZDNet – “This is the time of year when PC makers offer irresistible deals on new hardware. If you’ve taken advantage of a Black Friday or Cyber Monday deal to replace your old Windows PC with a shiny new model, congratulations! So, what are you planning to do with that old, not yet obsolete device? You might be planning to hand it down to a family member or reassign it to another employee in your small business. Maybe you’re going to donate it to a local charity or put it up for sale. Whichever option you choose, your top two priorities should be safely expunging your personal data from the old device and restoring its operating system so the new owner can be productive right away. And as with all things Windows, there are multiple ways to accomplish this goal. In this post, I’ll outline the three best alternatives you have, with some thoughts on when you should choose each one. (Spoiler: The most important question is who you’re planning to give that PC to.)…”

beSpacific Subjects: Cybersecurity, PC Security, Privacy

ZDNet Topic: Windows 10


Subject: IBM Releases Report on Cyber Actors Targeting the COVID-19 Vaccine Supply Chain
Source: CISA
https://us-cert.cisa.gov/ncas/current-activity/2020/12/03/ibm-releases-report-cyber-actors-targeting-covid-19-vaccine-supply

Original release date: December 3, 2020 – IBM X-Force has released a report on malicious cyber actors targeting the COVID-19 cold chain—an integral part of delivering and storing a vaccine at safe temperatures. Impersonating a biomedical company, cyber actors are sending phishing and spearphishing emails to executives and global organizations involved in vaccine storage and transport to harvest account credentials. The emails have been posed as requests for quotations for participation in a vaccine program.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages Operation Warp Speed (OWS) organizations and organizations involved in vaccine storage and transport to review the IBM X-Force report Attackers Are Targeting the COVID-19 Vaccine Cold Chain for more information, including indicators of compromise. For tips on avoiding social engineering and phishing attacks, see CISA Insights: Enhance Email & Web Security.

RSS feed for topic – https://us-cert.cisa.gov/ncas/current-activity.xml


Subject: Police Will Pilot a Program to Live-Stream Amazon Ring Cameras
Source: EFF via beSpacific
https://www.bespacific.com/police-will-pilot-a-program-to-live-stream-amazon-ring-cameras/

EFF: “This is not a drill. Red alert: The police surveillance center in Jackson, Mississippi, will be conducting a 45-day pilot program to live stream the security cameras, including Amazon Ring cameras, of participating residents.  Since Ring first made a splash in the private security camera market, we’ve been warning of its potential to undermine the civil liberties of its users and their communities. We’ve been especially concerned with Ring’s 1,000+ partnerships with local police departments, which facilitate bulk footage requests directly from users without oversight or having to acquire a warrant.  While people buy Ring cameras and put them on their front door to keep their packages safe, police use them to build comprehensive CCTV camera networks blanketing whole neighborhoods. This  serves two police purposes. First, it allows police departments to avoid the cost of buying surveillance equipment and to put that burden onto consumers by convincing them they need cameras to keep their property safe. Second, it evades the natural reaction of fear and distrust that many people would have if they learned police were putting up dozens of cameras on their block, one for every house…”see also

https://www.jacksonfreepress.com/news/2020/nov/02/mississippi-program-use-door-cameras-fight-crime/

EFF RELATED TAGS – STREET LEVEL SURVEILLANCE


Subject: Fake calls from Apple and Amazon support: What you need to know
Source: FTC Consumer Information
https://www.consumer.ftc.gov/blog/2020/12/fake-calls-apple-and-amazon-support-what-you-need-know

Scammers are calling people and using the names of two companies everyone knows, Apple and Amazon, to rip people off. Here’s what you need to know about these calls.

In one version of the scam, you get a call and a recorded message that says it’s Amazon. The message says there’s something wrong with your account. It could be a suspicious purchase, a lost package, or an order they can’t fulfill. In another twist on the scam, you get a recorded message that says there’s been suspicious activity in your Apple iCloud account. In fact, they say your account may have been breached.

If you get an unexpected call or message about a problem with any of your accounts, hang up.

  • Do not press 1 to speak with customer support
  • Do not call a phone number they gave you
  • Do not give out your personal information

If you think there may actually be a problem with one of your accounts, contact the company using a phone number or website you know is real.

Scam Tags: Phone Scams

Subject: Private Verizon Customer Information Leaks in Chat Transcripts
Source: Ars Technica via Gizmodo

[from the “To err is human; to royally foul things up you need a computer” dept …] Verizon customers who normally use the company’s online chat system to sort out issues with their service might want to stop for the time being. A glitch is leaking personal information—addresses, phone numbers, and sometimes accounts numbers—in other customers’ chat windows. Ars Technica discovered the leak on Monday, November 30, and alerted Verizon. As of this publication, the leak has yet to be completely fixed, but the number of instances of it occurring seems to have dropped.

Posted in: AI, Computer Security, Congress, Courts & Technology, Cybercrime, Cybersecurity, Email Security, Healthcare, KM, Legal Research, Legislative, Mobile Technology, Privacy, United States Law