Speaking of security education and training, the National Cybersecurity Center this week launched a new initiative to offer cyber-hygiene and IT security sessions to elected state government officials and their staff for FREE. The training sessions are getting a financial boost from Google and bipartisan support from Secretaries of State Frank LaRose (R-Ohio) and Jena Griswold (D-Colorado), who will be the program’s emissaries.

The lessons will focus on basic cyber-hygiene, including multi-factor authentication, passwords, and software patching, and will expand on educating lawmakers on threats such as phishing and ransomware and risks with attacks on the supply chain.

The House Committee on Transportation and Infrastructure heard testimony from U.S. Department of Transportation (DOT) Secretary Pete Buttigieg this week on the Biden Administration’s priorities and plans for national transportation infrastructure.

Although Secretary Buttigieg’s testimony did not provide details specifically about unmanned aerial systems (UAS or drones), Secretary Buttigieg comes to the DOT with a history of success in promoting autonomous systems, which will hopefully help lead the way for the industry on a federal level.

A highlight for the UAS industry from the hearing was the Secretary’s support for regulatory updates and UAS technology. Secretary Buttigieg stated that “[t]he biggest thing that we need to do is establish safety and establish certainty for industry.” To support innovation in this space, Congress needs to keep up with the evolving technology. Collaboration between the DOT and the industry will allow federal policy to support safe deployment and integration.

We will continue to monitor progress toward federal regulation for safety, standards and privacy protections.

Many people continue to be unaware of how their data are collected, stored, used, disclosed, retained, or destroyed. As technology explodes it is hard to stay current, and educating individuals on their privacy rights has diminished.

There are many organizations devoted to educating consumers on their privacy rights and committed to teaching them about the risks and considerations for protecting their privacy. One such organization, the Privacy Rights Clearinghouse, continues to provide relevant and timely content on the rapidly-changing patchwork of privacy risks and rights.

I began following the Privacy Rights Clearinghouse right from its inception because it was one of the first organizations to keep a detailed list of data breaches. It started tabulating the number of records that have been breached since 2005. As of this writing, that tally according to Privacy Rights Clearinghouse is 11,725,045,478. And the count changes daily.

In addition to keeping track of the number of records breached, Privacy Rights Clearinghouse provides up-to-date articles on different topics relating to privacy, resources on discrete topics such as robocalls, employee monitoring, exercising your rights under different laws, and how new technology affects your privacy.

This  site is  user-friendly and its content is robust. It is a good place to start if you want to find out more about your privacy rights.

The United States Government Accountability Office (GAO) recently completed and published a study on electricity grid cybersecurity that concluded that the Department of Energy (DOE) needs to ensure its plans fully address risks to electricity distribution systems.

The GAO completed two prior studies of the generation and transmission functions of the electricity grid and found that they are increasingly vulnerable to cyber-attacks. The third function of the electricity grid is distribution, which was the subject matter of this study.

According to the study, the U.S. electricity grid distribution system, which comprise the conduits from electric companies to consumers, and which are regulated by states, “are increasingly at risk from cyber-attacks.” According to the study, “Distribution systems are growing more vulnerable, in part because their industrial control systems increasingly allow remote access and connect to business networks.” Therefore, they can be attacked through “multiple techniques” which can potentially disrupt operations.

The DOE has developed plans for the national cybersecurity strategy for the electricity grid. According to GAO’s study, the DOE’s plans “do not fully address risks to the grid’s distribution systems.” The GAO “recommends that DOE more fully address risks to the grid’s distribution systems from cyberattacks—including their potential impact—in its plans to implement the national cybersecurity strategy.” The DOE agreed with the recommendation and provided information on two research projects that are designed to improve the cybersecurity of distribution systems.

There are several diagrams of the risks to distribution systems in the study which are quite chilling.  The study can be accessed here.

In what is being reported as the largest ransom demand ever, Taiwanese electronics and computer manufacturer Acer has reportedly been hit with a ransomware attack by REvil, which is demanding a ransom of $50 million for the destruction of leaked documents.

REvil posted images of Acer documents on its website, including financial and bank information, to prove it has exfiltrated data. In exchange for payment of the outrageous ransom request, REvil stated that it would provide a decryptor, a vulnerability report, and proof of deletion of the stolen files.

Acer has stated that there is an ongoing investigation and that it has notified appropriate authorities.

Aerospace and energy equipment manufacturer Honeywell has reportedly been hit with a cyber-attack in the form of a malware intrusion that disrupted some of its information technology systems. Honeywell issued a statement on March 23, 2021, stating that it “took steps to address the incident, including partnering with Microsoft to assess and remediate the situation.”

Honeywell confirmed that it has returned to service and that it has not identified “any evidence that the attacker exfiltrated data from our primary systems that store customer information. If we discover that any customer information was exfiltrated, we will contact those customers directly.”

Manufacturing companies have been hit hard recently with cyber-attacks, which is a wake-up call to evaluate cyber-hygiene and data theft prevention protocols.

What if you could control a computer with your mind? Well, Facebook’s latest device may allow you to do just that. Facebook recently announced that it has created a wristband that allows you to move a digital object just by thinking about it. The wristband looks like a large iPod on a strap and uses sensors to detect the user’s movements through electromyography (EMG). EMG interprets electrical activity from motor nerves as information is transmitted from the brain to the hand. An example: you could navigate through the augmented-reality menus by thinking about moving your finger to scroll through the options. However, Facebook notes that this “control”  is coming from the part of the brain that controls motor information, not thought.

The wristband is still in the research-and-development phase at Facebook’s Reality Labs;  no details about its cost or release date have been provided yet. This wristband is part of Facebook’s push for every-day virtual reality and augmented-reality products for consumers, and it’s likely only the beginning.

Facebook also released information earlier this month about its augmented-reality glasses that, as you walk past your favorite coffee shop, might ask you if you want to place an order. Herein lies a privacy dilemma: products such as these glasses and wristband mean that companies like Facebook will have access to even more data points about consumers than they already do. In the coffee shop for example, the company and its advertising partners would know what kind of coffee you prefer, where you live/work/ frequently visit, and either by submission or statistical deduction, also know your demographic, health, and other personal information. A personalized consumer profile based on your every move could easily be created (or more likely added to the already-existing profile about your buying behaviors).

 

The California State Controller’s Office (SCO) was recently a victim of phishing. According to its website, an employee of the SCO’s Unclaimed Property Division clicked on a link in an email, entered their user ID and password, and unknowingly provided a hacker with access to the email account. According to the website, “SCO has reason to believe the compromised email account had personally identifying information contained in Unclaimed Property Holder Reports. The unauthorized user also sent potentially malicious emails to some of the SCO employee’s contacts.”

The SCO was in the process of notifying individuals who either received one of the malicious emails or may have had their information potentially exposed. SCO recommended these individuals place a fraud alert on their accounts with the three major credit bureaus. We have said many times that organizations must be vigilant in training employees not to click on links in emails, particularly when being asked to input user credentials and log in information. Given the fact that the SCO in California oversees disbursements for what California State Controller Betty T. Yee has called the fifth largest economy in the world, this attack could have been much worse.

Although many students are returning to in-class learning, many others are still in a hybrid situation or fully remote at their own request. The rapid transition from in-school to the at-home learning setting has necessitated the use of classroom management software to manage online learning programs. The software of one of those companies, Netop Vision Pro, is used by teachers to push content to students, and allows them to share their screen with students. It is used by more than 9,000 school systems and three million teachers and students around the world.

Global security computer software company McAfee has reported that its researchers found four critical vulnerabilities in Netop Vision Pro software, including the ability of threat actors to plant malware and spy on users. The findings showed that network traffic between the teacher and the student was unencrypted and with no ability to activate encryption. According to McAfee, the vulnerabilities “allow for elevation of privileges and ultimately remote code execution, which could be used by a malicious attacker, within the same network, to gain full control over students’ computers.”

McAfee reported its research to Netop in December 2020, and in February 2021 Netop was able to deliver an updated version of the software, which patched many of the critical vulnerabilities except for encryption of network traffic. McAfee commended Netop on its “outstanding response and rapid development” of the patch in responding to the work of the researchers. If your school system is using Netop Vision Pro, it is important to check whether it has applied the updated version and followed Netop’s instructions.

A lawsuit filed in North Carolina claims that, under the First Amendment, surveyors cannot stop drone operators from selling photos taken from above and making maps.

Typically, a landowner contacts a surveyor to help establish a legal property line. However, what if you just want to see what your property looks like or create a visual map of your property or business as a tool to make decisions about new developments on your property or to determine what type of topography you have? A surveyor is not your only option. Now, you can hire a drone operator to take aerial images using commercial drone software to create orthomosaic maps and 3D images.

North Carolina’s  Board of Examiners for Engineers and Surveyors (the Board) may send a warning to drone operators warning them that certain photography might amount to surveying without a license, which could lead to criminal prosecution. Whether that’s practical (or legal) in the evolving drone industry is now up for debate.

Michael Jones, a photographer and videographer from North Carolina who began using drones to obtain images and video about five years ago, takes aerial images for many different client purposes, such as real estate; property management and inspection; and marketing. In 2018, he received a letter from the Board warning that his aerial imaging could be considered surveying without a license (even though he claims that he did not use his work to establish property lines and informed his clients that the images could not be used for legal purposes). However, a Board investigator told Jones that providing images with any metadata (such as GPS coordinates, elevation, or distance) or putting together several images to create a map of the land qualified as surveying and required a state-issued license. Jones ceased his work, worried that he could face criminal prosecution.

Now, in 2021, Jones has partnered with the Institute for Justice  in a lawsuit against the Board claiming that the images that Jones created for his clients were not being used for determination of legal boundaries, but only for informational purposes, and therefore, such creating and sharing of information is protected by the First Amendment. A copy of the complaint can be found here.

Perhaps drone operators and traditional surveyors should combine forces: drones could be a useful tool for surveyors, saving time, money, and physical work.

We’ll keep you updated on how the court rules on this one.