New National Cybersecurity Guidelines Put in Place for Rail Transportation

December 13, 2021 Pete Cavicchia

During an era when federal pushes to increase infrastructure spending and heightened concerns over security risks across all sectors dominate headlines, recent news that the United States government is imposing cybersecurity regulations for rail transit made waves.

CBS News recently reported on the announcement that the federal government just imposed cybersecurity mandates for “higher risk” rail transit and railroad systems.

The Department of Homeland Security and Transportation Security Administration stated that freight trains and passenger transit rail systems will have to now report all cybersecurity incidents to the federal government within a 24-hour timeframe, put in place a 24/7 cybersecurity liaison with federal agencies, institute incident response plans, and conduct vulnerability assessments to address gaps in their cybersecurity protocols.

"These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats," DHS Secretary Alejandro Mayorkas said in a statement that was published by CBS News.

Officials in the freight and passenger rail transit industries have pushed back at the idea of more federal regulations.

"Mandating a prescriptive 24-hour reporting requirement in a security directive could negatively affect cyber response and mitigation by diverting personnel and resources to reporting when incident response is most critical,” President and CEO of the American Public Transportation Association (APTA), wrote in a recent letter to U.S. lawmakers. "Additional personnel and resources needed to comply with the requirements will add significant compliance costs just as transit agencies are working to recover from the COVID-19 pandemic.”

Fears over continued cyberattacks on transportation systems is a very pressing concern for federal regulators and transit officials alike. In this year, alone, the nation has seen hacks result in supply chain shortages and fuel shortages — it does not seem out of the realm of possibility that our trains and passenger rail systems could be at elevated risk in the near future.

CBS’s report highlights a ransomware attack that affected the Southeastern Pennsylvania Transportation Authority in 2020. That service is behind Philadelphia’s rail transit system. In August 2020, the Philly Voice covered the attack, writing that hackers were able to temporarily achieve unauthorized access to the transit authority’s servers.

Cases like this are reminders that our transportation systems are particularly vulnerable, especially during high-travel periods like the holiday season and beyond.

As we have a continual national reckoning over how to keep our systems — from healthcare to banking — safe and secure, a focus will continue to be directed on our passenger and commercial trains.

This Tool Makes Sure Facebook Doesn’t Track Your Browsing History

November 30, 2021 Pete Cavicchia

Back at the start of 2020, Meta Platforms, Inc. (then known as Facebook) CEO Mark Zuckerberg announced the global implementation of the “Off-Facebook Activity” tool. The goal was to give users the ability to manage how the company’s social media platform tracked Internet viewing history.

With much in the news lately about how Facebook uses and shares your data as well as giving third-party apps access to your browsing history, the tool seems more timely — and useful — than ever.

Tech news site CNET recently detailed how you can best make use of Off-Facebook.

If you haven’t been aware of the tool, keep in mind it switches off Facebook’s default setting of sharing your account data. You can also take it upon yourself to specifically select individual companies that you don’t want to have access to your data and send you intrusive targeted ads.

CNET’s Katie Teague outlines that, first, you have to go to “Settings & Privacy” on Facebook, then go to “Settings,” select “Your Facebook Information,” and then choose “Off-Facebook Activity.” Once you’re in Off-Facebook Activity, you can clear your history. Additionally, you can switch off future data-sharing activity from your account.

Teague explains this means you are instructing Facebook to wipe away identifying information that apps are sharing. Essentially, now the social media company will no longer be privy to what sites you are visiting, preventing you from receiving targeted advertisements in your Facebook Newsfeed.

Separately, Teague pinpoints how you can also manage specific ads you encounter on the platform. It’s as simple as going to your “Settings” and then selecting “Ad Preferences.”

Once you’re in your ad preferences, you can see a full rundown of the various companies that are running ads on your feed based on your identifying Facebook information and data through “Advertisers and Businesses.” You can select unwanted companies and choose “Don’t Allow.”

She also recommends you head to “Ad Settings” in order to switch off advertisements that are derived from data from the site’s partners as well as your activity carried out through your social actions and use of other Facebook products. Keep in mind this doesn’t delete the data itself and you’ll still see other ads appearing on your feed. Teague says the Off-Facebook tool is still the most definitive way for enshrining your data and personal information from being co-opted and used for ads.

In summary, whether using Facebook — or any other social media platform — you should scrutinize how your data is being shared and look closely at settings you can enable to prevent that information from being used by third parties. Given how ubiquitous social media is right now, it’s crucial you do everything you can to protect your sensitive and personally identifying data.

A Look at the Top Social Media Scams

November 19, 2021 Pete Cavicchia

About seven-in-10 people in the United States use social media platforms. Compare that number to just 5 percent of American adults in 2005, when the Pew Research Center started tracking social media habits to see just how much a part of daily life social media is right now.

It’s pretty hard to avoid a reliance on social media accounts — from getting one’s fix of daily news, to connecting with friends and relatives, to sharing content about how you spent your time on your most recent vacation.

As has been widely reported, this makes social media platforms rife with cybercriminal activity. Given its ubiquity, social media is just as much a hotbed for phishing scams and hacks as email and online banking, for example.

Why you should be wary of cybercrime on social media

Tech blogger Kim Komando reports that a recent survey from Checkpoint Research shows social media platforms WhatsApp, LinkedIn, and Facebook made the top 10 list of faked brands used by phishing scammers.

It’s no surprise why social media companies — and the well-known brands associated with them — make for particularly potent hacking targets. They are often the places where users share their most personal, identifying data, from location to bank account information to images of personal contacts.

The top ten social platforms for scams

The website Government Technology highlights another study — this time from SocialCatfish.com — in which 726 members of a Facebook group “Social Catfish (SCF) Seekers” have all self-reported being scammed out of money online. The top 10 social sites that generated the most reports of these scams are:

Facebook
Google Hangouts
Instagram
WhatsApp
Plenty of Fish
Match.com
OurTime
Zoosk
Words With Friends
Tinder

Facebook came out at the top due to the large number of reported fake profiles that tend to flood the site and in users’ DMs. This was similar to another popular social platform — owned by Facebook — Instagram. On the photo-sharing app, fake accounts tend to proliferate, sending users at times deceiving messages asking for financial and personally identifying information.

Practice sound judgment online

Fake accounts that look and sound like real people defined the connective theme throughout the survey. It underscores the importance of being vigilant about who you interact with online and, most importantly, what kind of information you’re sharing.

Unless you are interacting with a merchant or a bank you know and trust, do not share your personal financial information or anything sensitive such as personal address or social security number. If you ever receive a message from a bot that seems to be asking for this intrusive information, steer clear.

All of these platforms have methods of reporting potential scams. If you suspect you are receiving solicitation from a hacker or a scam account, please report the suspicious account and block them from viewing or accessing your page.

U.S. Government Puts Forth These Recommendations to Prevent Next Big Hack

November 9, 2021 Pete Cavicchia

On November 3, the Biden administration mandated federal agencies to patch hundreds of cybersecurity flaws. The end goal is to prevent the next big cybersecurity crisis. This comes after major events like the SolarWinds hack — when suspected Russian hackers weaponized SolarWinds and Microsoft software to hack U.S. federal agencies — put the need to improve cybersecurity protocols center stage.

It further underscores just how ill-prepared governmental agencies, and the general public alike, are for major hacks.

The Verge reports on this new directive from the Cybersecurity and Infrastructure Security Agency (CISA), which highlighted “200 known threats that cybersecurity experts discovered between 2017 and 2020.”

Right now, these federal agencies have just six months to put patches in place to cover vulnerabilities exposed by older threats. Additionally, they have two weeks to fortify what was exposed by newer threats from the past year.

“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber-attacks,” CISA director Jen Easterly said in a statement on the directive, which was first reported by The Wall Street Journal. “While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

SolarWinds is included in the list of major threats, along with the Microsoft Exchange Server flaw. The Microsoft attack involved the hacking of emails from 30,000 American commercial and governmental organizations. What makes that attack particularly frustrating for government officials is the reality that had just “four known security holes” been patched, the attack could have been stopped in its tracks, the Verge reports.

All of this means cybersecurity threats will continue to be at the top of headlines — not just in the U.S., but around the world.

Back in May, President Joe Biden signed an executive order that sought to prevent similar attacks. This order included provisions such as two-factor authentication throughout the federal government, the institution of a Cybersecurity Safety Review Board, and uniform recommendations for responding to these kinds of attacks, the Verge adds.

This increased vigilance signals we are only heading into an ever-heightened sense of alarm over cybersecurity dangers. Shielding individuals’ sensitive data while also putting cybersecurity central to both federal and commercial policy is key to combatting these threats.

How to Scare Away Security Threats this Halloween Season

October 29, 2021 Pete Cavicchia

It’s the end of October, and we’re now in the midst of Halloween season. During a busy time that includes taking the kids out trick-or-treating, attending costume parties, or watching seasonally appropriate scary movies, it can be easy to lose track over concerns about security — both physical and cyber.

Some scary cybersecurity statistics

The conclusion of Halloween brings the end of Cybersecurity Awareness Month, but that doesn’t mean your vigilance about potential cybersecurity threats should stop. Instead, it should carry through all year, every year.

For Halloween, Pax8 Blog published an overview of cybersecurity threats that go bump in the night. Here’s a look at som e o f the statistics t hey scared up:

Hacks have a long lifecycle — IBM’s Cost of a Data B reach Report found it took an average of 212 days to detect a cyber breach as well as 75 days to contain it. They found that the total lifecycle of a hack is 287 days. To illustrate this point further, they explain that if a company had been breached by hackers on January 1, 2021, it would take until October 15 to be contained.
An escalation of ransomware attacks — They also point to the scary statistic that ransomware attacks increased by 185 percent in the United States for the first six months of 2021. In the United Kingdom it was 144 percent, according to dat a from SonicWall.
A lot of data failed to be restored — Even bleaker, Sophos found that just 65 perc ent of data was restored after a company paid ransom to cybercriminals following a ransomware attack.
Remote workers are ill-equipped for hackers’ attacks — In its State of the Phish Report, Proofpoint found 70 percent of organizations fail to institute best cybersecurity practices in remote worker trainings. This is a particularly big oversight given the rush to embrace remote work during the COVID-19 pandemic.

What all of these disturbing, worrying statistics do is offer a reminder that it’s crucial to practice proper cybersecurity hygiene. Keep passwords private and safe, utilize multi-factor authentication, and do not transmit private and sensitive data over public Wi-Fi or shared computer connections. Similarly, be wary of social media scams— and not just during Halloween. Never give your private information to a third party.

Trick-or-treat season is a time to be vigilant about physical safety and security, too

This time of year, reminders about safety extend beyond the cyber world.

If you and your family are out and about trick-or-treating on October 31, be vigilant about physical safety, too. UPMC Children’s Hospital of Pittsburgh offers some Halloween-specific safety instructions for your children. This includes making sure all children have adult supervision when they are out for Halloween, avoid sharp objects and costume accessories, visit familiar neighborhoods to collect candy, and wash all fruit and inspect exactly what kind of food items are being placed in your kids’ trick-or-treat bags.

This year also poses unique safety concerns due to COVID-19. Healthychildren.org outlines recommendations for safely enjoying the spooky holiday during the pandemic. Chief among them — focus on outdoor activities. While we are in a better place with COVID-19 than we were a year ago, congregating in large groups of strangers still poses risks. If you are concerned about COVID-19 transmission — either for yourself, your children, or your family at large — consider outdoor activities and bring a protective face mask if you are planning on going inside. Also, make sure you bring some hand sanitizer along the way.

While Halloween can be a fun time of year, make sure you celebrate safely. Always keep both your physical and digital safety at the front of your mind.

This is the Sky-High Ransomware Payment Total for 2021 So Far

October 27, 2021 Pete Cavicchia

A lot has been written about the high rates of cybercrime and ransomware attacks over the past year. The uncertainties of an era marked by the COVID-19 pandemic, along with a move to the work-from-home lifestyle that put a lot of people’s sensitive data at risk is represented quite starkly by a new report on ransomware payments for the first half of 2021.

A recent report from the United States Department of the Treasury reveals that ransomware payments scaled to almost $600 million over the course of the first six months of 2021.

By comparison, the ransomware payments made for all of 2020 totaled $416 million. For concrete examples of how high impact these attacks can be, just think back to what happened during the Colonial Pipeline and meat processor JBS USA Holdings incidents this year. Both were forced to pay millions, with real world consequences. After both hacks, meat supplies were affected and the nation’s gas prices went up, CNET reports.

“The Treasury says the rise potentially reflects both a big increase in ransomware-related attacks, as well as improved detection and reporting of those attacks by financial institutions,” writes CNET’s Bree Fowler. “It notes that the number of ransomware-related suspicious activity reports also rose 30 percent to 635, when compared to the entire calendar year of 2020.”

A bleak reality stands — the Treasury Department estimates the total ransomware payments for the entire calendar year will extend beyond those of the past 10 years combined.

This warning underscores what everyone can do to be vigilant about these attacks. You don’t have to be the CEO of a tech firm to feel the pressure of how crucial it is to secure your data.

If you receive a strange email or text message from a source you don’t recognize, never share personal financial information or transfer funds. If a suspicious email or text contains a link, do not click on it.

These commonsense practices that mark effective cybersecurity hygiene are important for all of us to keep in mind, especially as current work-from-home policies further blur the lines of distinction between personal and professional. In short, transmitting sensitive data over a shared family computer can bear with it serious cybersecurity headaches.

Make sure you always update software on all of your devices, institute multi-factor authentication, and educate others in your household or at your office about proper protocols for keeping sensitive data protected from hackers.

Why the European Parliament is Looking at Facial Recognition Ban

October 21, 2021 Pete Cavicchia

From social media tagging on popular platforms like Facebook to a way to unlock your iPhone, facial recognition technology is an increasingly sophisticated tool utilized by nearly every major tech company. It has been a part of law enforcement, building security, and personal computing.

Now, the European Parliament is looking to reign in its use in public spaces.

Earlier this month, the European governing body called on pol ice to pull b ac k on its use of artificial intelligence (AI) services that use facial recognition — a call to limit the application of this tech in mass public surveillance programs.

Members of the parliament voted 377 in favor, 248 opposed on a non -bind ing r esolution that asked European Union lawmakers to ban automatized facial recognition and put in place safeguards for how police forces use this AI, Engadget re ports.

What these political leaders are saying is that everyday citizens should only be monitored by AI tools if they are suspected of an actual crime. They are suggesting this shouldn’t be an automatic protocol applied to all people in public spaces.

Engadget’s Kris Holt writes that the big concern centers on what is known as “algorithmic bias” in AI programs. The legislators are pointing to past research that suggests these kinds of facial recognition AI systems tend to misidentify minority ethnic groups, LGBTQ+ individuals, women, and senior citizens at higher rates than other people who are scanned by the same programs.

“Those subject to AI-powered systems must have recourse to remedy,” the resolution reads. They also are calling for a ban of private databases of facial recognition information and what is being called “predictive policing based on behavioral data.”

Holt adds that this latest resolution comes after recommendations ea rlier this summer from the European Data Protection Board and the European Data Protection Supervisor that said this tech should not use biometric data to classify people into “clusters based on ethnicity, gender, political or sexual orientation.”

Essentially, use of this AI could be mishandled in a discriminatory way, according to the Engadget writer.

What this news further underscores is that the use of ever more sophisticated AI technology will continue to be debated by policymakers and the public alike. As it becomes applied more and more in our daily lives, we will see calls for regulation, and discussions over how best it can be used.

Keeping Security at the Forefront When Apple Operating System Updates

September 29, 2021 Pete Cavicchia

If you are one of the more than 1 billion Apple iPhone users in the worl d, it was a big day for you. On Monday, September 20, the tech giant unveiled iOS 15, the latest version of its smartphone operating system.

It offered important changes to how your phone will operate — from being able to make FaceTime calls to Android users to more sophisticated artificial intelligence (AI) capabilities to better identifying plants and animals in your photos, CNBC re ports.

Among these updates are improved security protections. One feature of the update is “App Privacy Report,” which will notify you how often an app that is utilizing your location and your microphone over the past week. Additionally, it will let users be aware when apps are communicating back to their own servers. Those who pay for Apple’s popular iCloud have a feature called “iCloud Privacy Relay,” which will hide IP addresses, preventing your location from being revealed to unwanted third parties, CNBC adds.

While all of this should put you more at ease that your data is better protected than it had been through older operating systems, it doesn’t mean that you can take a back seat and not be proactive about enabling many of these new features.

Wired offers a comprehensive review of privacy settings you should change once you update your iPhone. Here’s an overview of some of their recom mendations:

Block email tracking: There are still trackers that exist in the emails you send — they can be in the pixels that are situated in the footer, header, or body of emails, shooting back your information to the email sender. Wired says that Apple’s Mail Privacy Protection tool stops this. To set it up, go to Settings, Mail, Privacy Protection, and then turn on “Protect Mail Activity.”
Check up on your apps: Turn on the aforementioned App Privacy Report. Tap “Record App Activity” in Settings.
Hide IP addresses: In order to hide the sharing of IP addresses of the sites you visit, go to Settings, Safari, “Hide IP Addresses” and then turn on “Trackers and Websites.”
Apple’s authenticator: As is always a good idea when it comes to proper cybersecurity hygiene, make sure you utilize two-factor or multi-factor authentication for all online accounts you use. You can put in place verification codes for these two-factor authentication practices by going to Settings and then “Passwords.” You can set verification codes to autofill whenever you log on to Safari for web browsing on your iPhone.
Turn on iCloud Private Relay: To utilize the iCloud Privacy Relay if you’re a paying iCloud user, go to Settings, click on your name, go to iCloud, then turn on Privacy Relay.

As always, if you download a new operating system update on any device — and this recommendation is universal and can apply beyond Apple products — don’t just assume all of the new patches are automatically enabled. With any aspect of your personal data protection, you have to be vigilant.