Eliana Willis

Outrage continues to swirl around a proposed plan from the Treasury Department to require some taxpayers to submit to facial recognition and biometric surveillance in order to access their accounts online. The proposal faced further scrutiny after it was revealed the IRS planned to involve controversial facial recognition company ID.me in the effort. Fight for the Future, Algorithmic Justice League, EPIC, and other civil rights organizations launched a website — called Dump ID.me — allowing people to sign a petition against the IRS plan. This campaign site comes after days of criticism from privacy, justice, and civil rights groups concerned about the potential for a company like ID.me to have access to peoples’ most sensitive data. 

ID.me’s CEO Blake Hall faced widespread backlash for a LinkedIn post where he admitted that the company had been lying about the way its tool works. The company initially claimed it only runs a 1:1 match, but Hall revealed that it does run some 1:many matches and compares peoples’ images to a massive database, news first reported by CyberScoop’s Tonya Riley.  Caitlin Seeley George, campaign director at Fight for the Future, said the plan to use facial recognition on taxpayers was bad from the start, and it only got worse as more information was revealed.”Part of why we launched this effort is because we think it’s critical that the IRS hears public concerns about this issue. There’s already been a swift outcry from civil rights organizations and experts, but people broadly understand that they should not have to hand over their biometrics in order to access their IRS information (or at all, really),” George told ZDNet. “ID.me is a particularly troubling tool, especially with the revelation that they have been publicly lying about how it works and the types of verification it does,” George added. “But all facial recognition tools will cause a lot of the same issues: they will amass a database of peoples’ most sensitive information that can be shared with other agencies and law enforcement, and also will be a target for hackers. No government agency should be using facial recognition or other biometrics to verify identity.”

Late last week, Bloomberg reported that the Treasury Department is now considering other vendors for the facial recognition project, but the outrage over the situation has sparked further concern about the widespread use of facial recognition across the federal government as well as state governments. 

Fast Company reported that ID.me is now used by the Department of Veterans Affairs, the Social Security Administration, and several other federal agencies. Jay Stanley, senior policy analyst at the ACLU, told ZDNet that dozens of agencies across the country mandate facial recognition in order to access government benefits. The IRS began forcing some people to use ID.me in order to access the expanded child tax credits that were part of President Joe Biden’s American Rescue Plan. There are a range of issues with facial recognition, most notably that it has been proven repeatedly to be inaccurate with the faces of Black and brown people as well as women. Artificial intelligence researchers Inioluwa Deborah Raji and Dr. Joy Buolamwini released a study in 2019 proving that Amazon’s facial recognition software made more mistakes when identifying the faces of Black people, particularly Black women.  Also: Backlash to retail use of facial recognition grows after Michigan teen unfairly kicked out of skating rinkStanley added that the use of facial recognition by government agencies creates a number of accessibility issues for people, noting that some state agencies use it to vet unemployment insurance recipients. It requires strong internet connections — something many people don’t have — and puts an undue burden on people attempting to access benefits Congress has deemed them eligible for, according to Stanley. “Its just not right to use a technology with those kinds of biases for such a public purpose. This kind of core government functions shouldn’t be done by a private company,” he said, adding that ID.me would not be subject privacy laws and certain checks and balances, despite carrying out an essential government function. Many states are using facial recognition for government services through funding coming from the federal government, and Stanley said strings need to be attached to ensure the algorithms aren’t biased. Aubrey Turner, executive advisor at Ping Identity, was critical of the outrage directed toward the IRS effort. Turner acknowledged the privacy and demographic bias concerns raised by watchdogs but said everyone’s images are captured by traffic cameras, security cameras at the airport and through social media accounts. 

“Not going so far as to call it fake outrage, but let’s be pragmatic for a moment. Overall, I think it’s a good idea for the IRS to include modern identity proofing as part of the account registration/access process. Known as document-centric identity proofing within the IAM industry, the process of uploading the document (e.g., drivers license) and taking a selfie (capturing biometric data) is to attain a desired level of confidence the taxpayer user is who they claim to be while mitigating counterfeiting/forgeries. Notwithstanding the security aspect, there is also a user convenience component. This same proofing process can also be a means to reducing and removing passwords for the account enrollment process, which also has positive user experience upside,” Turner said. “Facial recognition can certainly be creepy if used inappropriately in marketing with social media apps. But it can also be tremendously convenient clearing airport security or unlocking your smartphone. The realities of today’s cyber threats means we have to find innovative and dynamic ways to prevent things like account takeover,” Turner added.”Technological innovation is accelerating faster than at any point in modern history, and there will always be misalignment between tech and regulations. There are emerging use cases and things we have yet to conceive that will certainly challenge our notions of the balance of privacy, security, and convenience. But the bottom line is that we can’t let perfect get in the way of progress,” Turner said.He noted that a debate should be had about whether the government should have built the system itself, but said “private enterprises often innovate to close gaps.”Also: Facebook is shutting down its facial recognition systemRegardless of the outrage, more businesses will be leveraging identity proofing processes that utilize biometric and behavioral data, Turner added. “I think not using these more secure methods [is] worse than the alternatives. This is the first in an oncoming wave, so the government should be fostering this innovation and not putting up roadblocks,” Turner said. “I think there are legitimate privacy concerns with facial recognition and biometric data that shouldn’t be ignored. The time for digital identity proofing has come (will only continue to grow in government and private sectors), so we should embrace it versus being outraged without practical alternatives to the realities of today’s cyber security challenges.”Buolamwini — who has become an advocate against facial recognition since publishing her study — released a letter to the Biden Administration last week where she said the real-world impact on marginalized communities will “likely get worse because of the unchecked proliferation of facial recognition technologies generally.” “These technologies are being deployed at an unprecedented rate across state and federal agencies. They are imposed on the public without sufficient public scrutiny, debate, or oversight, causing harm to the populous generally,” Buolamwini said. “No biometric technologies should be adopted by the government to police access to services or benefits, certainly not without cautious consideration of the dangers they pose, due diligence in outside testing, and the consent of those exposed to potential abuse, data exploitation, and other harms that affect us all.”

Government More

Mozilla announced on Tuesday that it is adding Multi-Account Containers, one of the most popular add-ons in Firefox, to the desktop version of the company’s VPN service. 

ZDNet Recommends

Mozilla VPN 2.7’s addition of multi-account containers will allow users to separate personal and work profiles as well as others for shopping, banking and more. The tool in Firefox allowed people to separate each profile into color-coded tabs and custom labels.”Combined with Mozilla’s VPN, it adds an extra layer of protection to their compartmentalized browsing activity, and additional safeguarding of their location information, as well,” a Mozilla spokesperson said. “Bringing the multi-hop feature, a popular component of Mozilla VPN’s desktop offering, to the mobile version will let Android and iOS users use two VPN servers instead of one, giving them and their browsing a little extra privacy.”According to Mozilla, multi-account containers were initially rolled out in 2017, and it quickly became a favorite of users. 
Mozilla
“Instead of opening a new window or different browser to check your work email, you could easily separate that activity in a container tab. We created tab-specific containers like personal, work, shopping, banking and social media and added options so you can personalize it by color, logo or a different name,” Mozilla explained. Also: Google unveils differential privacy tool for Python developers processing data

“Behind the scenes, the websites and their cookies are isolated from the other containers, thus allowing you to sign into two different accounts on the same site (one for work and one for personal). The Multi-Account Containers Add-on has had more than thousands of users who’ve called it a ‘productivity hack,’ ‘simply phenomenal,’ and ‘perfect for privacy.'”The company used the example of a person on a business trip to Paris needing to check their personal bank account from their work computer. A user would be able to separate their activity from their work. “For those who aren’t yet ready for travel and are keeping in touch with family and friends through emails and video, you can set one of your containers to shopping and change the server to the nearest city of your loved ones’ home and check out local shops to have flowers or a meal delivered to their home for that special occasion or just to say hello,” Mozilla added. Mozilla also added the multi-hop feature to the Android and iOS versions of the app, allowing people to use two VPN servers instead of one. The feature is targeted toward people who are “ultra-conservative when it comes to privacy”, like political activists, journalists and more. Mozilla recently added “Total Cookie Protection” to the platform as a way to stop cookies from tracking you across the web. More

A cyberattack on two German oil suppliers has forced energy giant Shell to reroute oil supplies to other depots, according to Reuters and the Handelsblatt newspaper. Handelsblatt was the first to report on Monday that oil companies Oiltanking and Mabanaft, both owned by German logistics conglomerate Marquard & Bahls Group, had suffered a cyberattack that crippled their loading and unloading systems. Oiltanking had a throughput of 155 million tons in 2019, according to Handelsblatt.  

ZDNet Recommends

By Tuesday, Royal Dutch Shell said it was forced to reroute to different supply depots because of the issue. Oiltanking did not respond to requests for comment but confirmed the attack to The Stack and said they “have declared force majeure.” They reportedly discovered the attack on Saturday. The incident follows another cyberattack on billion-dollar German logistics firm Hellmann Worldwide Logistics that took place in December.  German officials spoke at a news conference about the issue. Arne Schonbohm, president of the Federal Office for Information Security, said the attack on Oiltanking was “serious, but not grave.” German intelligence officials released a warning last week about APT27 using the malware variant HYPERBRO against German commercial companies. “According to current knowledge, the attackers have been exploiting vulnerabilities in Microsoft Exchange and in the Zoho AdSelf Service Plus1 software since March 2021 as a gateway for the attacks. It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers,” German intelligence service BfV said.

“The cyber espionage group APT27 has been active since at least 2010. The BfV is currently observing an increase in attacks against German targets by the group using the HYPERBRO malware.”Rumors that the Oiltanking incident is a ransomware attack reignited concerns about attacks on oil companies. Last year, US oil giant Colonial Pipeline dealt with a devastating ransomware attack that crippled its business services and left significant parts of the East Coast without access to gas for less than a week. “Impacting elements of the fuel, heating, and combustibles supply chain during the winter season potentially puts human safety and wellbeing in the crosshairs — these types of attacks underscore the very serious risks posed by criminals to foundational parts of essential services and infrastructure,” said Tim Wade, technical director at Vectra.  More

Image: Firewalla
Firewalla is expanding its product lineup today with its fourth network security device. As is the case with each product in Firewalla’s lineup, the

$319 Purple

takes a different approach to provide an extra layer of security to your home network.  In addition to two gigabit Ethernet ports on the Purple — a device that’s roughly the size of a Raspberry Pi — the Purple can also be used to create a short-range Wi-Fi network when you’re working in a coffee shop or a hotel while traveling. 

ZDNet Recommends

You can use the Purple as a router at home. You can also set it up between your modem and router to monitor your traffic, look for malicious websites, and send you alerts via the Firewalla iPhone or Android app.  I’ve now used every Firewalla device available, and they all do exactly what is advertised. With Purple, I was able to migrate the settings and rules I had set up from when I tested

Firewalla Gold,

and the Purple was up and running in a few minutes. That includes my ad blocking and routing rules, along with VPN and DDNS settings.  That means you can connect to your home network via a VPN connection, either protecting your Wi-Fi activity while you’re away from home or allowing you to access devices and files stored on your home’s network.  I haven’t had a reason yet to leave the house and take Purple with me, but messing around with the app and reading through the instructions makes it look simple enough.  The only catch is that you’ll need to complete the initial setup of Purple before you take it with you.

Firewalla also has

Blue Plus,

Red,

and

Gold.

Each one varies in cost and overall network speed, with the Gold and Purple being the most capable and powerful of the bunch. You can learn more about Firewalla’s network security products either by visiting Firewalla’s website or reading my review of the Blue. More

On Tuesday, device security firm Forescout Technologies announced that it is acquiring healthcare cybersecurity provider CyberMDX for an undisclosed amount. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Forescout provides a broad range of services for IT, IoT, OT and IoMT devices, making the acquisition of CyberMDX key to their expansion into the healthcare market. “Forescout is seeing rapid growth in healthcare, a market the company has always focused attention on from a technology and sales perspective,” said Wael Mohamed, CEO of Forescout. “Cybersecurity for IoMT, much like cybersecurity for OT devices, requires specific expertise and technologies. We are pleased to have the CyberMDX team join Forescout as we continue delivering new capabilities on our market-leading platform and grow our R&D center.”The companies added that thanks to the merger, the two will “have a powerful platform that delivers an easy-to-use, scalable and agentless approach to device visibility, classification, threat detection and incident response focused on IoMT devices to better serve healthcare organizations.”Forescout previously acquired industrial control systems firm SecurityMatters for $133 million in an all-cash deal in 2018. Forescout itself was acquired by global private equity investor Advent International in a February 2020 deal worth $1.9 billion. The deal nearly fell through because of the pandemic but eventually was agreed upon at a 12% lower price in July 2020. Forescout claimed it has the largest number of deployments of OT infrastructure protection solutions globally and currently works with hospitals like the University Health Network in Toronto. Mohamed told ZDNet that the challenges healthcare organizations face around the globe as OT and IoMT devices come online prompted them to work with CyberMDX on delivering expanded, specialized capabilities for deeper visibility and granularity. 

“Forescout experienced great growth in our healthcare business in 2021, and we saw the need for deeper coverage in medical devices. We conducted an extensive evaluation and found a great partner and technology solution in CyberMDX. Bringing these two companies together means that we will be able to deliver the highest quality device visibility and risk assessment coverage for healthcare organizations around the globe. CyberMDX will continue to operate as a standalone company,” Mohamed said. “For Forescout, acquiring CyberMDX enhances our ability to address the growing demands and requirements from biomedical and clinical teams. The combined Forescout-CyberMDX solution delivers high-value cybersecurity automation capabilities that keep healthcare customers continuously compliant with healthcare regulations and best practices. It also enables our customers to make easier purchasing decisions and govern their network with a single solution. For CyberMDX, being acquired by Forescout means joining forces with a large, global leader in cybersecurity to continue its mission of protecting the things that protect human lives.”Amir Magner, president and co-founder of CyberMDX, said the move would help the company continue its work of providing healthcare institutions with wider cybersecurity protection. “CyberMDX enables hospitals to provide quality care by securing and protecting the systems and devices they rely on every day to treat patients and save lives,” Magner said. “We are thrilled to join the Forescout team where our innovation can continue to make a profound difference to healthcare organizations around the world.” More

Iranian hackers are targeting a range of organisations around the world in campaigns that use previously unidentified malware to conduct cyber-espionage actions and steal data from victims – and in some cases, the state-backed attackers are also launching ransomware in a dual effort to embarrass victims and cover their tracks. The two separate campaigns have been detailed by cybersecurity researchers at Cybereason, who’ve attributed the activity to an Iranian hacking group they track as Phosphorus – also known as APT35 and Charming Kitten – along with another Iranian-linked cyber operation, dubbed Moses Staff.

ZDNet Recommends

The attacks by Phosphorus have a more ‘traditional’ approach to cyber espionage, in that they’re designed to steal information and conduct operations that run in the interests of Tehran.  SEE: A winning strategy for cybersecurity (ZDNet special report) The group is suspected of being behind multiple espionage campaigns against organisations and individuals in the United States, Europe and the Middle East, as well as attempts to interfere with the US presidential elections.Now Phosphorus has added a new tool to their arsenal, trojan malware, which researchers have called PowerLess Backdoor, that allows attackers to conduct activity with little chance of being detected.  Once installed on a compromised machine, PowerLess allows attackers to download additional payloads, and steal information, while a keylogging tool sends all the keystrokes entered by the user direct to the attacker. 

Analysis of PowerLess backdoor campaigns appear to link attacks to tools, techniques and motivations associated with Phosphorus campaigns. In addition to this, analysis of the activity seems to link the Phosphorus threat group to ransomware attacks.  One of the IP addresses being used in the campaigns also serves as a command and control server for the recently discovered Momento ransomware, leading researchers to suggest there could be a link between the ransomware attacks and state-backed activity. “A connection between Phosphorus and the Memento ransomware was also found through mutual TTP patterns and attack infrastructure, strengthening the connection between this previously unattributed ransomware and the Phosphorus group,” said the report. Cybereason also found a link between a second Iranian hacking operation, named Moses Staff, and additional ransomware attacks, which are deployed with the aid of another newly identified trojan backdoor, dubbed StrifeWater.  The trojan is used for the initial phases of the attack, before it removes itself after being replaced with other tools. The way StrifeWater removes itself relatively early in the infection process is the reason it hasn’t been detailed previously. Like Phosphorous, the key aim of Moses Staff is to conduct espionage and steal information “to advance Iran’s geopolitical goals” with victims all over the world, including the US, Israel, Germany, Chile, Turkey, and the United Arab Emirates.  But while the whole point of espionage is usually to stay under the radar, Moses Staff attacks actively deploy a form of ransomware after they’ve gathered what they need. “It’s like a scorched earth policy,” Assaf Dahan, head of threat research at the Cybereason Nocturnus Team, told ZDNet.The malware attacks in a similar way to ransomware, in that files are encrypted and stolen, but unlike regular ransomware operations, there isn’t a ransom demand – the attacks are launched purely with damage in mind. However, the similarity in design to ransomware could draw victims away from suspecting an espionage campaign as they rush to combat what looks like a standard ransomware attack.  SEE: Why Iranian hacking operations could be a threat to your networkBut while it looks like ransomware, those behind it haven’t built a backend for accepting a ransom payment, let alone supplying an encryption key. “Their main goal is to disrupt business and disseminate fear,” said Dahan, describing how Moses Staff attacks, while state-sponsored, also appear to take cues from hacktivism campaigns, with custom graphics and boasts about hacking victims. “They tried to appear as activists group operating on behalf of Iranian state interest,” he explained, adding: “They have a website and a logo and everything, they say ‘hey, it’s us’ and they’re quite verbose and vocal about their mission.”It’s thought that both campaigns remain active, but there are actions that organisations can take in an effort to avoid becoming a victim. Key among these is patching software and systems, because the attacks are known to exploit publicly available exploits, including the ProxyShell vulnerabilities in Microsoft Exchange, as well Log4j vulnerabilities. By applying security updates as soon as possible, it reduces the chances of any attackers having time to exploit disclosed vulnerabilities. It’s also recommended that information security staff and network administrators are proactive in looking for threats, by not only fully understanding their own network and being able to detect if something might be suspicious, but also to keep up to date with intelligence of the latest potential threats so they know what to look for. “Be proactive. Don’t just wait for an alert to pop because, by the time it pops, it could be too late,” said Dahan.MORE ON CYBERSECURITY More