ECP NetHappenings: 12-2-19 morning edition

An Excellent Letter, a Perfect Letter. People are saying it is the Best Letter they’ve EVER Seen.
https://twitter.com/katierogers/status/1184567108853751809

Laundromat movie starring Meryl Streep on Netflix
{Panama Papers Mossack breach}
https://www.youtube.com/watch?v=wuBRcfe4bSo

The ownership of central banks
https://bankunderground.co.uk/2019/10/18/the-ownership-of-central-banks/

The Big Interception Flaw in the US-UK Cloud Act Agreement | Center for Internet and Society
https://cyberlaw.stanford.edu/blog/2019/10/big-interception-flaw-us-uk-cloud-act-agreement

Edward Snowden:’Without encryption we will lose all privacy. This is our new battleground’: The US, UK and Australia are taking on Facebook in a bid to undermine the only method that protects our personal information.
https://www.theguardian.com/commentisfree/2019/oct/15/encryption-lose-privacy-us-uk-australia-facebook

Internet Ethics on Twitter: “It’s sort of weird that we’re reaching a point where you can go into someone’s home and not even be remotely aware that an Echo is curled up against a wall socket”
https://twitter.com/IEthics/status/1179836458892316672

The Internet of Things is a Sham – YouTube
https://www.youtube.com/watch?v=88xjs6FBu30

Google chief: I’d disclose smart speakers before guests enter my home
https://www.bbc.com/news/technology-50048144

So looking through the fine print of the apartment we are renting… Time to go hunting for cameras since we’ve already found microphones
https://twitter.com/InfoSecFriends/status/1185541844995846144

 

Fact:  Washington does not have an extradition treaty with Beijing.

Cambridge Analytica whistleblower: US following China with privacy
https://www.cnbc.com/2019/10/09/cambridge-analytica-whistleblower-us-following-china-with-privacy.html

CacheBrowser: Bypassing Chinese Firewall Without Proxies
https://infatica.io/blog/cachebrowser-bypassing-chinese-firewall-without-proxies/

Starting December 1st, China’s new MLPS 2.0 cybersecurity laws will require submission of a facial scan to receive internet access
https://www.privateinternetaccess.com/blog/2019/10/starting-december-1st-chinas-new-mlps-2-0-cybersecurity-laws-will-require-submission-of-a-facial-scan-to-receive-internet-access/

China’s New Cybersecurity Program: NO Place to Hide
https://www.chinalawblog.com/2019/09/chinas-new-cybersecurity-program-no-place-to-hide.html

The China Connection: How One D.E.A. Agent Cracked a Global Fentanyl Ring
https://www.nytimes.com/2019/10/16/magazine/china-fentanyl-drug-ring.html

The City Of Baltimore Blew Off A $76,000 Ransomware Demand Only To Find Out A Bunch Of Its Data Had Never Been Backed Up
https://www.techdirt.com/articles/20191004/19564743128/city-baltimore-blew-off-76000-ransomware-demand-only-to-find-out-bunch-data-had-never-been-backed-up.shtml

A list of the Colorado priests named in the Catholic church sex abuse report, where they worked and when The report accuses 43 priests, but most of the abuse was committed by five
https://coloradosun.com/2019/10/23/names-of-priests-accused-of-sexual-abuse-colorado/

YOUR KIDS AND YOUR GRANDKIDS RIGHT NOW
College admissions officers rank prospective students based on web browsing, family finances and other data
https://www.washingtonpost.com/business/2019/10/14/colleges-quietly-rank-prospective-students-based-their-personal-data/

Children’s digital rights to Privacy!!!!
YouTube in particular is a top destination for children under 13.
The Federal Trade Commission – Children’s Online Privacy Protection Act — the only comprehensive federal privacy law we have in the United States. The FTC review comes after a spate of children’s protection failures by tech giants. Most recently, the agency fined Google $170 million for violating the kids’ privacy law on YouTube.
YouTube claimed its services were not for kids — even as the platform promoted itself to advertisers at the top online destination for children.
Educational institutions and ed tech vendors have as poor a track record on children’s data protection as tech giants. Over the last three years, there have been more than 700 data breaches, hacks, ransome and DDS attacks in U.S. public schools, according to K-12 cybersecurity data.

Hacker stole 77 million user accounts from Edmodo, a social learning platform used widely in K-12 schools around the world.
https://www.edsurge.com/news/2017-05-11-hacker-steals-77-million-edmodo-user-accounts

The K-12 Cyber Incident Map 715 Incidents Since January 2016
https://k12cybersecure.com/map/

Now Hyperstealth Biotechnology Corp’s Quantum Stealth technology or “broadband invisibility cloak” that bends light around a target. The light can be visible spectrum, ultraviolet, infrared or shortwave infrared light/.
https://twitter.com/hackermaderas/status/1186344576187015175

Phone passwords support these symbols
~ @ ! # $ % ^ & * () / : ; ? , . <> _ –

DHS cyber unit wants to subpoena ISPs to identify vulnerable systems
https://techcrunch.com/2019/10/09/cisa-subpoena-powers-isp-vulnerable-systems/

Samsung: Anyone’s thumbprint can unlock Galaxy S10 phone
https://www.bbc.com/news/technology-50080586

Turla group exploits Iranian APT to expand coverage of victims – NCSC
https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims

Malicious Payloads – Hiding Beneath the WAV
https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html

How the OceanLotus Threat Group leveraged steganography to conceal malicious backdoor payloads within image files
https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/white-papers/OceanLotus-Steganography-Malware-Analysis-White-Paper.pdf

FACEBOOK ADS INC “The evil genius of Ads Inc was that it evaded detection in part by using thousands of different Facebook accounts to place ads. And it got these by paying average Americans $15 a month to “rent” their FB accounts.
https://twitter.com/CraigSilverman/status/1184577478641233921

Mysterious UAE cyber firm luring ex-Israeli intel officers with astronomical salaries
https://www.haaretz.com/israel-news/.premium-mysterious-uae-cyber-firm-luring-ex-israeli-intel-officers-with-astronomical-salaries-1.7991274

Remember this? Judge approves $415M settlement in Apple, Google wage case
https://www.chicagotribune.com/business/ct-apple-google-tech-wage-settlement-20150903-story.html

@NordVPN hacked https://twitter.com/le_keksec
https://twitter.com/le_keksec/status/1185745754176049153
https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt

Hackers steal secret crypto keys for NordVPN.
https://arstechnica.com/information-technology/2019/10/hackers-steal-secret-crypto-keys-for-nordvpn-heres-what-we-know-so-far/

“So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys”
https://twitter.com/hexdefined/status/1185864801261477891

Planting Tiny Spy Chips in Hardware Can Cost as Little as $200
https://www.wired.com/story/plant-spy-chips-hardware-supermicro-cheap-proof-of-concept/

Meet America’s newest military giant: Amazon
https://www.technologyreview.com/s/614487/meet-americas-newest-military-giant-amazon/

Hacking Group Keksec is back. This time they didn’t post funny pictures of their billboard Hacks. They published a guide on How to Hack them.

The secret life of our HIPAA data
“There’s a misconception that all health information is protected by HIPAA; it’s just not true,” she says. A growing number of apps and websites skirt oversight, such as wearable devices that track your heart rate, or an app or portal where individuals can store their own health information. If a company isn’t covered by HIPAA, it “can do more with your health information than you might think, without your consent,” she said.
Can your medical records become marketing? We investigate a reader’s suspicious ‘patient portal. Our tech columnist helps identify a HIPAA loophole, explains Apple Pay and shares a Firefox upgrade that helps you track the data trackers on your computer. The patient portal FollowMyHealth.com reserves rights to use “personal health record” data for “marketing and advertising purposes, including sending you marketing and advertising communications whether on our behalf or on behalf of marketing partners.” Say what? Nobody wants to see their medical diagnosis turn into an ad. What’s the law here? A patient portal that has a business associate agreement with your doctor’s office to collect your personal health information should be covered by HIPAA, said Deven McGraw, the former deputy director of health information privacy at the Office for Civil Rights in the U.S. Department of Health and Human Services. And under HIPAA, showing paid, targeted advertisements should require consent from each patient. When I contacted Follow My Health’s corporate parent Allscripts, it painted a narrower picture of its practices — and claimed the site wasn’t limited by HIPAA. Follow My Health claims it is not limited by HIPAA. “Unlike a patient portal that a vendor hosts or supports for a single health-care provider, a vendor of a personal health record product that allows individual consumers to aggregate their health information from multiple sources is not regulated by HIPAA,” Lynch said. The HIPAA-covered business associate relationship, he said, is “limited to the technical work that is necessary to establish and maintain connectivity” between a doctor’s electronic records system and Follow My Health.
https://www.washingtonpost.com/technology/2019/10/22/help-desk-can-your-medical-records-become-marketing-we-investigate-readers-suspicious-patient-portal

Bernie’s tax plan Healthcare cost

https://bernietax.com/

Researchers unveil the world’s first programmed DNA computer prototype
https://www.fanaticalfuturist.com/2019/04/researchers-unveil-the-worlds-first-programable-dna-computer-prototype/