Pete Recommends – Weekly highlights on cyber security issues, February 4, 2023

Subject: Have a Conversation (Not a Lecture) About Fraud With Older Adults
Source: NerdWallet
https://www.nerdwallet.com/article/insurance/fraud-scam-conversation

People over 60 reported more than $1.7 billion lost to fraud and scams in 2021, according to the FBI’s 2021 Elder Fraud Report. These older adults reported both the most incidents and the highest losses of any group in the report. But that doesn’t mean you need to single out your grandparents for a phishing lesson at the next family gathering. Research shows that older adults can have additional risk factors, but everybody gets targeted by scams, and everybody gets better at avoiding scams when they’re well-informed about them. Family members and caregivers all probably have stories to tell about their own experiences with attempted scams. That’s why Taylor Patskanick of the Massachusetts Institute of Technology’s AgeLab recommends a “multi-generational conversation” on the subject.

Open conversations about fraud and financial exploitation could help older adults avoid scams — but the younger participants could probably use a reminder, too.

Filed: https://www.nerdwallet.com/hub/category/insurance


Subject: Police investigating bogus e-coupon scams at Westmoreland County businesses
Source: CBS Pittsburgh
https://www.cbsnews.com/pittsburgh/news/fake-e-coupon-scams-7-eleven-hempfield-township/

HEMPFIELD TOWNSHIP, Pa. (KDKA) – State police in Westmoreland County say thieves are targeting local businesses using bogus e-coupons and say the suspects are believed to be a small part of a much larger scam network.

“When they went into the store, they tried to purchase Newport cigarettes but they had an electronic coupon to make the cigarettes free,” said trooper Steve Limani.

The ones the two suspects tried to use weren’t legit, police said.

“We think they’re part of a much larger scam where these digital coupons are being utilized to try and take advantage of these merchants,” Limani said.

How do they get them? The deep recesses of the dark web are full of places where you can pay money to buy counterfeit e-coupons. It’s a matter of downloading whatever coupon you want and just going to your nearest retailer to use it.


Subject: Black swans events are shaping the cybersecurity present and future
Source: VentureBeat
https://venturebeat.com/security/black-swans-events-are-shaping-the-cybersecurity-present-and-future/

First coined by Lebanese-American thought leader Nassim Nicholas Taleb, the term “black swan” refers to unexpected global events that have a profound effect on society. Some are beneficial, like the invention of the printing press; and others are destructive, such as the subprime crisis in 2008. But they have all altered the course of history.In recent years, we have bore witness to a surge of black swan events, and they continue to emerge in real time. They have affected every facet of our lives, and this rings true in the world of cybersecurity. By analyzing these recent events, we can better map out our industry’s evolutionary processes to predict where cybersecurity is heading next.

The COVID-19 pandemic set the stage for innovation

See also: https://venturebeat.com/category/security/


Subject: NIST debuts long-anticipated AI risk management framework
Source: GCN
https://gcn.com/emerging-tech/2023/01/nist-debuts-long-anticipated-ai-risk-management-framework/382345/

The National Institute of Standards and Technology unveiled its long-awaited Artificial Intelligence Risk Management Framework on Thursday morning, representing the culmination of an 18-month-long project that aims to be universally applicable to any AI technology across all sectors.Increasing trustworthiness and mitigating risk are the two major themes of the framework, which NIST Director Laurie Locascio introduced as guidance to help organizations develop low-risk AI systems. The document outlines types of risk commonly found in AI and machine learning technology and how entities can build ethical, trustworthy systems.

“AI technologies have significant potential to transform individual lives and even our society. They can bring positive changes to our commerce and our health, our transportation and our cybersecurity,” Locascio said at the framework’s launch event. “The AI RMF will help numerous organizations that have developed and committed to AI principles to convert those principles into practice.”

The framework offers four interrelated functions as a risk mitigation method: govern, map, measure, and manage.

Comments on the AI RMF 1.0 will be accepted until February 27, 2023, with an updated version set to launch in Spring 2023.

Filed: https://gcn.com/emerging-tech/

RSS: https://gcn.com/rss/emerging-tech/


Subject: Cybersecurity High-Risk Series: Challenges in Securing Federal Systems and Information
Source: U.S. GAO
https://www.gao.gov/products/gao-23-106428

Fast Facts – Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.

In this report, the second in a series of four, we cover the 3 actions related to Securing Federal Systems and Information:

  • Improve implementation of government-wide cybersecurity initiatives
  • Address weaknesses in federal agency information security programs
  • Enhance the federal response to cyber incidents to better protect federal systems and information

We’ve made 712 public recommendations in this area since 2010. Nearly 21% of those recommendations hadn’t been implemented as of December 2022.

We recommended that CISA establish expected completion dates, plans for developing performance measures, and an overall deadline for the completion of the transformation initiative, as well as develop a strategy for comprehensive workforce planning.

Topic: Information Security

Many other topics: https://www.gao.gov/topics



Subject: Google Fi customer saw hacked accounts during data breach
Source: 9to5google
https://9to5google.com/2023/01/31/google-fi-customer-hack-story/

Last night Google Fi disclosed a data breach to customers that, for at least one person, turned out to be a far more serious situation involving their phone number being moved to another device and seeing accounts hacked in real-time.Google Fi’s disclosure of this recent data breach told customers that a “limited amount of Google Fi customer data” was accessed by a third-party, explaining that the data included some account data, SIM card serial numbers, and account status, but no personal data such as names, birthdates, or other sensitive details were revealed.

However, that email varied for at least one customer. Shared to Reddit, a Google Fi customer said that their email from Google included mention about their phone service being transferred to another SIM card for just under two hours.

This article has some info about protecting yourself from SIM swapping: https://www.experian.com/blogs/ask-experian/how-to-protect-yourself-from-sim-swapping/


Subject: The FTC goes after GoodRx for sharing users’ health data with Meta and Google
Source: Vox
https://www.vox.com/recode/23581260/goodrx-ftc-privacy

GoodRx has not been very good at your privacy. And now the Federal Trade Commission has written an expensive prescription: a hefty fine and an agreement to implement various privacy protections.If you’re one of the tens of millions of people who used GoodRx to find bargains on your medications, the drug discount and price-shopping website and app might have done a little more than you bargained for: It sent your sensitive health data to data brokers as well as tech companies like Meta and Google to use for advertising, according to the FTC.

Some of GoodRx’s practices were first exposed in February 2020 by reports from Consumer Reports and Gizmodo, which detailed how user data was being sent to third parties. At the time, GoodRx apologized, said the data wasn’t used to target ads, and implemented some privacy controls. That seemed to be the end of it, as GoodRx operates in a digital privacy gray area. Though it may collect the same data that pharmacies, doctors, and health insurance companies do, in most cases it’s not beholden to the same health privacy laws — namely, HIPAA, the Health Insurance Portability and Accountability Act. Even when HIPAA didn’t apply to GoodRx, the FTC says that the company gave users the impression that it did by putting a little “HIPAA” icon on its website.

With GoodRx, things are a little different, as the FTC is using a rule it has never invoked before. The Health Breach Notification Rule requires vendors of personal health records that aren’t covered by HIPAA to notify consumers if their data has been accessed by a third party without consumers’ authorization. It’s been on the books since 2009, but the FTC never enforced it until now. The agency signaled a move like this would be coming in 2021, when it issued a warning to health apps and connected devices that they must get their users’ permission before disclosing their health data to third parties.


Subject: List of consumer reporting companies
Source: CFPB via Brian Krebbs https://infosec.exchange/@briankrebs/
https://newsie.social/@[email protected]/109796405208858992

The Consumer Financial Protection Bureau (CFPB) has updated its list of consumer reporting companies, w/ info about your right to request your info from all these data brokers. consumerfinance.gov/consumer-t

It’s a huge list (this is nothing new) but to me it just underscores how American federal privacy laws — such as they are — really don’t afford people much protection from or recourse for anything, except maybe protection from the government. Best thing you can do is freeze your credit and that of your dependents/partner. That tends to cut down on the amount of information that’s collected, collated and maintained about you across this entire industry. https://infosec.exchange/@briankrebs/10963

Posted in: Cybercrime, Cybersecurity, E-Commerce, Financial System, Healthcare, Legal Research, Privacy