Category Archives: Security

Internet Censorship, Law, Security

HELP STOP the White House Executive Order that would lead to massive Internet censorship.

The White House is spinning this executive order “Preventing Online Censorship” as a positive for free speech! However, if they succeed, it will accomplish the opposite. It places majority power to the White House appointed Commissioner of the FCC Republican Ajit Pai.

We are all for equalizing the playing field. We agree there is a content filtering monopoly. However, this Executive Order is NOT the solution and would shift censorship to the government. The order would also allow news and conspiracy theories, and influence from outside government to go unvetted when favorable to one party or the other. Stop the movement of the White House to take this country to Autocracy. (A) It is a similar move as defunding the United States Postal Service prior to a presidential election.

Michael

CONTENT FROM MY FRIENDS AND ASSOCIATES AT FIGHT FOR THE FUTURE:

Bad news. The Federal Communications Commission (FCC) is moving forward with a White House Executive Order that would lead to massive Internet censorship. They’ve opened an official public comment period, and we have to act NOW because the deadline is just a few weeks away.

We’re launching a new campaign to flood the FCC with comments opposing the “Censor the Internet” Executive Order, which would gut Section 230 of the Communications Decency Act and put FCC chairman Ajit Pai in charge of policing online free speech.

Will you chip in to help us stop the “Censor the Internet” Executive Order?

There’s a lot to do. First, we need to rebuild our tool that makes it easy for ordinary people to submit comments to the FCC (their regular comment website is essentially unusable.) 

Then our campaign team will need to get that tool in front of millions of people so we can generate as many comments as possible, as well as media attention and signal boosts from popular musicians and celebrities to keep the issue in the spotlight.

We know how to do this, and we know how to do it well. During the net neutrality fight, our tools drove more comments to the FCC than ever before in history. But because we’ve done it before, we also know we need to raise more funds to cover the costs of this campaign.

Please chip in whatever you can—whether it’s $5 or $500—to make sure we can stop the FCC from enacting this Executive Order and keep the Internet free from political censorship. 

You might be wondering, will the FCC even listen to our comments? Fair question! The overwhelming majority of comments they received opposed the repeal of net neutrality, and they did it anyway.(1)

But here’s the deal: this Executive Order is so poorly written—and so blatantly illegal—that even Ajit Pai has signaled that he’s against it. (2) But if there aren’t enough comments opposing it, politicians that want to censor the Internet and control the free flow of information will seize on that to push their agenda. 

We can’t let that happen, which is why we’re building a tool and launching a campaign to flood the FCC with comments against Internet censorship. Will you chip in to fund this work?

We know these are tough times and not everyone can give right now. If you can’t, don’t worry. We’ll follow up soon with information on how to submit a comment and help sound the alarm. If you’re lucky enough to be in a position to give right now, please stretch as much as you can. This is important!

Chip in here: https://www.fightforthefuture.org/donate

Thanks for all you do,

-Evan at Fight for the Future
Footnotes:
(1) – Cnet: https://www.cnet.com/news/fcc-gets-more-10-million-comments-on-net-neutrality/
(2) – Forbes: https://www.forbes.com/sites/robpegoraro/2020/07/28/heres-trumps-plan-to-regulate-social-media/#61ac2f9562fa

(A) – Autocracy is a system of government in which supreme political power to direct all the activities of the state is concentrated in the hands of one person, whose decisions are subject to neither external legal restraints nor regularized mechanisms of popular control 

ABOVE IS THE CONTENT FROM MY FRIENDS AND ASSOCIATES AT FIGHT FOR THE FUTURE

 

 

 

 

COVID19, Empowerment, Law, Meeting Platforms, Security

11/09/2020 Zoom’s Meeting Platform security crisis continues. 07/13/2020 Wants to share calls with the police!

11/09/2020 – Update

FTC Requires Zoom to Enhance its Security Practices as Part of Settlement.
Commission alleged that the company deceived users about the level of security for Zoom meeting platform and unfairly undermined a browser security feature.

“Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base, which has skyrocketed from 10 million in December 2019 to 300 million in April 2020 during the COVID-19 pandemic.”

07/25/2020 – UPDATE

From all the external pressures – ZOOM reversed its decision to make end-to-end encryption a paid feature. Privacy and Security MUST be the default in technology, not a paid luxury!
ORIGINAL 07/13/2020 POST: 

This is outrageous. Zoom made significant and commendable strides forward to finally address security flaws in 2020. However, IMO this latest policy change puts them back into the dog house. Zoom just announced that they will NOT offer end to end encryption to users with free accounts, because they want to give the police and FBI access to calls.

If paid subscribers do have end to end encryption this “policy” is a blatant strategy to simply generate revenue.

Sign the petition to tell Zoom: “Keep people safe by implementing default end to end encryption for all video, audio, and text chat.”

Tell Zoom to implement end to end encryption for all users.

FROM FIGHT FOR THE FUTURE:
“This threatens protesters who are using Zoom to coordinate demonstrations and have confidential discussions about necessary reforms. By giving cops these sensitive conversations, Zoom puts activists at risk. The police can use the information gathered to disrupt protests and even arrest the people involved.”

“As activists demand justice, accountability, and freedom from police violence, Zoom fuels the very police oppression the protesters are fighting against.1

“This is a decisive moment of change. The need for safety both on and offline has never been greater. Now more than ever companies must take action for our security, not expose us to more danger.”

Tell Zoom to keep all users safe.

“Eric Yuan, Zoom’s CEO, believes limiting encryption to paying customers is necessary because “some people use Zoom for bad purposes.” Not only does Yuan show disturbing bias in drawing a connection between free users and criminals, but he’s making a ridiculous argument. People with bad intentions will just pay to secure their calls, which means there’s literally no reason not to offer end to end encryption to free account holders other than to do law enforcement a favor.2,3

Eric Yuan, CEO Zoom

And while bad actors and corporations pay for safety, users who can’t afford paid accounts will be left vulnerable to cyber-criminals, stalkers, and governments around the world can access calls with full cooperation from Zoom.4

This sets an extremely dangerous precedent. This is what law enforcement wants and why they’re pressuring facebook to not roll out end to end encryption on messenger. By doing this Zoom is reinforcing a dangerous lie that widespread availability of end to end encryption is inherently dangerous, which is just nonsense.5

Tell Zoom to make all user accounts safe and secure with end to end encryption.

Footnotes:
1. The Guardian: https://www.theguardian.com/technology/2020/jun/03/zoom-privacy-law-enforcement-technology-yuan
2. CNET: https://www.cnet.com/news/zoom-wont-add-encryption-to-free-calls-so-it-can-work-with-law-enforcement/
3. Schneier on Security:  https://www.schneier.com/blog/archives/2020/04/secure_internet.html
4. Tech Crunch: https://techcrunch.com/2020/04/01/zoom-doom/
5. The Verge: https://www.theverge.com/2020/3/3/21158030/encryption-explainer-guide-law-enforcement-apple-fbi
AI, AL, Artificial Intelligence, AugI, Law, Machine Learning, Security

Data Protection Law in the Age of Big Data and AI

A must read from Sandra Wachter for executives and front line legal and tech warriors.

FitCEO, Inc. - Since 2003
Subscribe

 

“A Right to Reasonable Inferences: Re-Thinking Data Protection Law in the Age of Big Data and AI”
Sandra Wachter – University of Oxford – Oxford Internet Institute
Brent Mittelstadt – University of Oxford – Oxford Internet Institute”Data protection law is meant to protect people’s privacy, identity, reputation, and autonomy, but is currently failing to protect data subjects from the novel risks of inferential analytics.”Paper from SSRN – Why you should create a free SSRN Account.[pdf-embedder url=”https://fitceo.com/wp-content/uploads/securepdfs/2019/01/SSRN-id3248829.pdf”%5D
Operations, Security

Google Releases Updates for Chrome

Original release date: December 12, 2018 via The National Cybersecurity and Communications Integration Center (NCCIC)

Google has released Chrome Version 71.0.3578.98 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to take control of an affected system.

Chrome

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review the Chrome Releases page and apply the necessary updates.

 

E-Verify - DHS and SSA, Operations, Security

E-Verify Reminder – DHS – Q4 2018

Reminder: Employers may not terminate employees because of a Tentative Non-Confirmation (TNC)

You may not terminate or take any other adverse action against an employee because of Tentative Non-Confirmation (TNC) until the Social Security Administration (SSA) and/or Department of Homeland Security (DHS) has reviewed the case and the TNC becomes a Final Non-Confirmation.

Resources for more information on TNCs:

EMPLOYMENT ELIGIBILITY VERIFICATION (EEV) SERVICES
Operations, Security

US Infrastructure: An Achilles Heel / SCADA exposure will short-circuit our utilities!

  • What is it?
  • Where are the vulnerabilities?
  • What should be considered?
  • Resources

Supervisory Control And Data Acquisition (SCADA) networks pervade the industry. These small microcontroller systems are used to control large industrial machines and systems. SCADA systems are predominantly used for monitoring industrial systems, often in remote locations.

Typically, remote terminal units and Programmable Logic Controllers are connected to enterprise networks using a “telemetry” network. Where the telemetry network meets the enterprise computer network, gateways permit two-way communications between the SCADA network and the traditional corporate network.

SCADA systems were designed to be highly efficient, but they were not necessarily designed with security in mind. Because security was not the primary consideration, SCADA telemetry networks may be highly vulnerable to exploitation. Because SCADA systems control and provide feedback on industrial processes, exploitation of these systems could seriously disrupt key industrial processes, such as power generation, lift and crane systems, and transportation systems.

There are numerous entry points to SCADA telemetry networks:

  • Compromise of WLAN and/or wireless networks that connect SCADA systems to each other and to control systems;
  • Compromise of gateways from traditional computer networks to the SCADA network;
  • Improper physical access to key control systems;
  • Access to telemetry networks and modification of command-level traffic (typically this traffic is unencrypted);
  • Application-level vulnerabilities in SCADA control software;
  • SCADA traffic encapsulated in TCP/IP and transmitted over public networks.

These vectors are but a limited selection of the entry points for SCADA networks. Because of the traditional use of SCADA networks, encryption of traffic between endpoints is often forgone.

The most memorable SCADA attack was STUXNET (1).  STUXNET attacked the centrifuge control SCADA systems in Iran, rendering them useless.

Organizations need a structured approach to securing SCADA systems.

While firmware manufacturers may be slow to respond to security requirements, organizations must take the following preventive initiatives:

  • Implement simple but effective controls that separate SCADA networks from general computer network systems.
  • Monitor SCADA system activities for abnormal conditions.
  • Upgrade and assess SCADA firmware on a regular basis.
  • Where bounds checking has been implemented (for controller movement such as stepper-motor controlled systems), the configuration scripts for SCADA devices must cover movement bounds to avoid damaging control hardware.

Finally, while there are many technological aspects to controlling SCADA systems, we cannot overlook the human element.

Originally released in part by VIMRO,
Larry Boettger
and
Michael Horsch Fizz

Resources:

SCADA 2019 Tech Summit: August 28 – 29, 2019
Westin O’Hare: 6100 N River Rd, Rosemont, Ill. 60018

Additional Resources:

SCADA News:

(1) AN UNPRECEDENTED LOOK AT STUXNET, THE WORLD'S FIRST DIGITAL WEAPON
Empowerment, Operations, Security

They will bypass your best computer security system in ten minutes.

Social Engineering
The Evil Art of Human Hacking

Social engineering is a technique hacker’s use to take over an account by persuading or psychologically manipulating people to divulge confidential information. This is usually the first step within a more complex scheme. Social engineering uses “confidence building” techniques to set the victim at ease and convince him or her that the attacker is legitimate and presenting a valid scenario.

Social engineering is very common and occurs regularly; it is so pervasive, in fact, that two prominent internet companies, GoDaddy and PayPal, recently fell for a carefully crafted social engineering attack. This attack enabled unauthorized parties to hijack the account of a significant user and, through that breach, to access other confidential accounts. Cases like this “should have thrown up red flags for any Internet company dealing in identity,” reports techcrunch.com. “These are not new tactics and they should be guarded against as a very basic precaution.”

More alarming than the frequency of social engineering attacks is the relatively low risk for the attacker, who can disengage at any time simply by hanging up the phone or deleting the address used to send fraudulent emails. When this low risk is combined with the inviting ratio of success to failure, social engineering becomes an attractive alternative to much riskier fraud that requires facing your victim.

The means to defeat social engineering, however, are relatively simple if you understand what social engineering is: social engineering is a con. It relies on the victim’s reluctance or inability to question the authenticity of the attacker. Once that authenticity is questioned, the attacker must deviate from their “script” and flounder to avoid being discovered. The more you drive the attacker off the script, the more information you can gain; proportionally, this increases the risk to the attacker. Five simple steps can help you avoid becoming a victim of social engineering:

  • Question the authenticity of every communication. This is especially true if you are asked for information such as usernames, passwords, or other sensitive data.
  • Do not be afraid to validate the caller. Advanced social engineers will set up “bounce” numbers; these are phone numbers that are answered by co-conspirators who serve to falsely validate the authenticity of the caller. You can avoid this trap by instead calling a number you know to be legitimate, such as the published number for a company or the internal extension for the employee’s supervisor.
  • Insist on two-way validation. If someone asks you for your information, ask them for their information about you. For example, if a caller identifying himself as an IT technician asks for your information, ask what equipment his database reports for you. Then request from him his supervisor’s name, which you can validate in an employee directory, and call that supervisor to validate his request.
  • If you have identified a social engineering attempt, be sure to communicate your finding to management; news of this attempt should then be shared companywide to limit the attacker’s possible success.
  • Validate through testing. Every organization should, as one component of a thorough penetration test, evaluate employee readiness for social engineering attempts. A firm well versed in social engineering testing will go beyond mere phone calls, employing a multitude of techniques to perform extensive tests in this discipline.

Originally released in part by VIMRO,
Larry Boettger
and
Michael Horsch Fizz

Schedule an Introductory Consult

Contact Us