Episode 186 Look, up in the sky! It’s a bird, it’s a plane! It’s... your insurance company!?!? - click the pic to hear the podcast - This week we have stats and stories that will leave you gasping, and that’s good because you’ll have a chance to catch your breath during our spring break over the next couple weeks. We start this update up there, in the sky, and the novel new way insurance companies are finding to lower risk and increase profits. - click the pic to hear the podcast - From there we move on to a US privacy bill that we never thought we would see get as far as it has, and just how many people are potentially lining up to stop it. It’s not 007, but SS7 and it involves spies and use by adversaries for so long that the Federal Communications Commission is calling for accountability. There’s a ransomware attack that hasn’t hit healthcare but a coffee loyalty program that has raised the profile of ransomware to new heights. From a Canadian listener an update on Microsoft’s Security Chickens. And finally the most amazing, incredible, unbelievable identity theft story we have ever heard. They removed the last public phone box in Metropolis in 2022, so there’s no chance to change, but that’s fine because by the time we get to the end of this week’s update we’ll only need one identity and it will be secure! - click the pic to hear the podcast - US: Insurers Are Spying on Your Home From the Sky https://nypost.com/2024/04/08/business/insurance-companies-use-drones-manned-planes-and-high-altitude-balloons-to-spy-on-homes-and-deny-coverage-report/ Across the U.S., insurance companies are using aerial images of homes as a tool to ditch properties seen as higher risk. Nearly every building in the country is being photographed, often without the owner's knowledge. Companies are deploying drones, manned airplanes and high-altitude balloons to take images of properties. No place is shielded: The industry-funded Geospatial Insurance Consortium has an airplane imagery program it says covers 99% of the U.S. population. The array of photos is being sorted by computer models to spy out underwriting no-nos, such as damaged roof shingles, yard debris, overhanging tree branches and undeclared swimming pools or trampolines. The red-flagged images are providing insurers with ammunition for nonrenewal notices nationwide. One of those homes belonged to Cindy Picos, a Northern California resident, who said her coverage was yanked last month after the insurer took aerial photos of her roof. The underwriter told Picos that the roof had “lived its life expectancy” — though she told the Journal that she had recently hired an independent inspector who said the roof was good another 10 years. The insurer declined to reconsider, she said. So what's the upshot for you? Home and auto insurance companies continue to report robust profits — fueled by steep rate increases. Premiums for US homeowners’ insurance jumped by an average of 21% from May 2022 to May 2023. That eclipsed the staggering 12% rise from the previous year. US: Is The US About To Pass a Landmark Online Privacy Bill? https://www.msn.com/en-us/news/politics/house-senate-leaders-nearing-deal-on-landmark-online-privacy-bill/ar-BB1l9oqh Leaders from two key committees in the U.S. Congress "are nearing an agreement on a national framework aimed at protecting Americans' personal data online," in a story sent in by Gillian Walker of Norman Associates. They call the move "a significant milestone that could put lawmakers closer than ever to passing legislation that has eluded them for decades, according to a person familiar with the matter, who spoke on the condition of anonymity to discuss the talks." The tentative deal is expected to broker a compromise between congressional Democrats and Republicans by preempting state data protection laws and creating a mechanism to let individuals sue companies that violate their privacy, the person said. Rep. Cathy McMorris Rodgers (R-Wash.) and Sen. Maria Cantwell (D-Wash.), the chairs of the House Energy and Commerce Committee and the Senate Commerce Committee, respectively, are expected to announce the deal next week... Lawmakers have tried to pass a comprehensive federal privacy law for more than two decades, but negotiations in both chambers have repeatedly broken down amid partisan disputes over the scope of the protections. Those divides have created a vacuum that states have increasingly looked to fill, with more than a dozen passing their own privacy laws... [T]heir expected deal would mark the first time the heads of the two powerful commerce committees, which oversee a broad swath of internet policy, have come to terms on a major consumer privacy bill... The federal government already has laws safeguarding people's health and financial data, in addition to protections for children's personal data, but there's no overarching standard to regulate the vast majority of the collection, use and sale of data that companies engage in online. So what's the upshot for you? Let's hope they can get a bill through before the lobbyists get sent in to fight it. A lot of companies make a lot of money from your data and right now there are more corporate lobbyists in Washington D.C. than elected officials. The total number of U.S. congressmen and senators is 435 representatives in the House plus 100 senators in the Senate, totaling 535 elected officials in Congress. In 2023 there were over 12,500 registered lobbyists actively working in Washington, DC, or 23 lobbyists per elected official. US: FCC starts to take action to plug the security holes in SS7 https://s3.documentcloud.org/documents/24527269/da-24-308a1.pdf First, what is SS7? Signaling System No. 7 is a set of telephony signaling protocols developed in the 1970s, which is used to set up and tear down telephone calls in most parts of the world-wide public switched telephone network. The protocol also performs number translation, local number portability, prepaid billing, Short Message Service, and other services. The U.S. Federal Communications Commission (FCC) is stepping up efforts to secure decades-old flaws in American telephone networks that are allegedly being used by foreign governments and surveillance outfits to remotely spy on and monitor wireless devices. At issue are the Signaling System Number 7 (SS7) and Diameter protocols, which are used by fixed and mobile network operators to enable interconnection between networks. They are part of the glue that holds today's telecommunications together. According to the US watchdog and some lawmakers, both protocols include security weaknesses that leave folks vulnerable to unwanted snooping. SS7, which was developed in the mid-1970s, can be potentially abused to track people's phones' locations; redirect calls and text messages so that info can be intercepted; and spy on users. The Diameter protocol was developed in the late-1990s and includes support for network access and IP mobility in local and roaming calls and messages. It does not, however, encrypt originating IP addresses during transport, which makes it easier for miscreants to carry out network spoofing attacks. "As coverage expands, and more networks and participants are introduced, the opportunity for a bad actor to exploit SS7 and Diameter has increased," according to the FCC. So what's the upshot for you? On March 27 the commission asked telecommunications providers to detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers' locations. The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and -- if known -- the attacker's identity. US: Panera Bread week-long IT outage caused by ransomware attack https://www.bleepingcomputer.com/news/security/panera-bread-week-long-it-outage-caused-by-ransomware-attack/ Panera Bread suffered a massive outage on March 22, impacting its internal IT systems, phones, point of sales system, website, and mobile apps. As systems were down, employees could not access their shift details and had to contact managers to learn when to come to work. The ransomware attack encrypted many of the company's virtual machines, preventing access to data and applications. The company has since restored some of its systems from backups. It is unclear which ransomware group is responsible for the attack, as none have claimed responsibility yet. This suggests that the attackers are either waiting for a ransom payment or have already received one. During the outage, stores were unable to process electronic payments and had to accept cash only. Additionally, the reward program systems were down, preventing members from redeeming their points and Sip Club members couldn't get their unlimited coffees. So what's the upshot for you? Ransomware miscreants have been literally killing people by taking hospital systems offline around the world, but when you take away people's coffee, that's when ransomware becomes personal. Global: Microsoft’s Security Chickens Have Come Home to Roost https://www.securityweek.com/microsofts-security-chickens-have-come-home-to-roost/ We'd like to thank Stephen Strohmeier of TD bank in Canada for calling out the following story: In its review of the Microsoft Exchange Online hack, the government’s Cyber Safety Review Board (CSRB) called out “a cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed” and warned that a second nation state-backed hacking team (Russia) have also been rummaging through highly-sensitive Microsoft corporate email accounts, source code repositories, and internal systems. This “dangerous addition to security revenue,” as Alex Stamos just described it, gets even uglier when Microsoft’s own security problems are used to upsell customers and important mitigation technologies are only available in expensive licensing packages. The government’s Cyber Safety Review Board (CSRB) called out “a cascade of Microsoft’s avoidable error “The Board finds that this intrusion was preventable and should never have occurred,” the CSRB said, bluntly. “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” While unsurprising, the CSRB findings should scare us all. Microsoft is too big to fail, with its OS and cloud technologies powering some of the most critical and essential services on earth. Microsoft and cloud service providers (CSPs) are custodians of nearly unimaginable amounts of data, from consumer personal information to communications of U.S. diplomats and other senior government officials, as well as commercial trade secrets and intellectual property. So what's the upshot for you? The Cyber Safety Review Board report is a remarkable document providing a blow-by-blow into one of the most daring APT attacks in history against a company that somehow blew a decade’s worth of goodwill and completely lost its way in security. US: Identity theft. He did what???!? https://www.thegazette.com/crime-courts/former-university-of-iowa-hospital-employee-used-fake-identity-for-35-years/ The next time you think you hare having a bad day, reread this: Matthew David Keirans, a former University of Iowa Hospital employee, admitted in court to using another man's identity since 1988. During his time at the hospital, Keirans worked in the IT department but was terminated in 2023 due to misconduct related to the identity theft investigation. He had been using the name William Donald Woods (a guy he worked at a hot dog stand with) since the late 1980s, obtaining jobs, insurance, and even paying taxes under this false identity. Keirans extensively used Woods' identity for decades, including obtaining fraudulent identification cards and acquiring loans totaling over $200,000 from Iowa credit unions. He also had money stored in a bank under Woods' name, accumulating significant wealth over the years. The real William Woods discovered the identity theft in 2019 when he found out about accumulated debts under his name. Despite presenting authentic identification, he was unable to prove his identity due to Keirans' manipulation of accounts and documents. Woods was wrongfully arrested and sent to a mental hospital as a result of Keirans' actions. Only in 2023 did Woods manage to raise his complaint to the University of Iowa Hospitals' security department, leading to an investigation by the University of Iowa Police Department. Following an interview where Keirans confessed to the identity theft, he faced charges in both state and federal courts. He pleaded guilty to federal charges in August, with a sentencing yet to be scheduled. Keirans is currently in custody awaiting sentencing. So what's the upshot for you? When confronted with DNA evidence, Keirans responded by saying, “my life is over” and “everything is gone.” ..But it wasn't his life. It was someone elses... and now he has to give it back along with the wife and son he had under the stolen identity. - click the pic to hear the podcast - So to recap: This week we had stats that left even our cat gasping, and that’s good because he’ll have a chance to catch his breath during our spring break over the next couple weeks. We started this update up ... in the sky, with aerial shots of your house and property and yet another method insurance companies can use to dump various customers they judge as higher risk = lower profit. These tactics and rocketing prices may make the insurance industry one of the most despised lines of business. From there we had an update of a bipartisan US privacy bill put together by two women, one a democrat and the other a republican and chairs of the House Energy and Commerce Committee and the Senate Commerce Committee, respectively, that may be announced next week. Then we learned that the U.S. Federal Communications Commission is finally going after the telecoms protocol SS7, in use globally by requesting that telecoms companies provide insight into how often and by whom the protocol is misused to monitor end users, and how they think, they can prevent it. We got an update on the Panera Bread ransomware attack, hitting home because so many could not get coffee from their coffee subscription plan. There was an interesting view on Microsoft creating insecure apps and then profiting by selling security software to mitigate those insecurities. We finished with the story of a man whose identity was stolen and used by someone else for over 30 years and who, when he went to reclaim it, was instead sent to a mental hospital and to jail. ...And so that you don’t find yourself with a stolen identity we are including 20 suggestions to help you lock down your own identity...
Our quote of the week – She's 80 my nan(grandmother), what do you want for your birthday? "SHREDDER!! GET ME A SHREDDER!!", what do you want a shredder for? "IDENTITY THEFT!!" – Russell Howard That's it for this week. Stay safe, stay secure, and up in the sky, it’s a bird, it’s a plane… nevermind, we'll see you in twenty-one! Episode 185 This week’s update starts out leaking like an old bucket, but gets patched up pretty good - click the pic to hear the podcast - We start with our friends at AT&T and yet more mobile phone subscriber detail launched out onto the dark web. Is it playing catch up with another mobile service provider? An almost shocking update from the Department of Homeland Security that they are halting the purchase of your location data and phone records from data brokers. Could this be the DHS realizing they were doing wrong or is it simply down to budget cuts? Then there’s news from President Joe that all agencies should appoint a chief AI officer. In the acronym laden US government that would mean adding a CAIO to the C-suite. Not to be outdone, the VP announced some new AI standards introducing the novel new word “fairness” to some of the use cases that are popping up like spring flowers across the US. The US taxpayers on are the hook in a new reward for the capture of the BlackCat hackers, before we move on to Google pledging to destroy the truckloads of data it collected on you (and others) while you used their browser in incognito mode. We finish the update with that look in your eye that has given yet another country the impetus to pause retina scanning by a man called Sam. If there’s a hole in the bucket, we’d better get to fixing it. Grab some straw and let’s go! US: "We take cybersecurity very seriously..." AT&T Says Data From 73 Million Customers Has Leaked Onto the Dark Web https://www.cnn.com/2024/03/30/tech/att-data-leak/index.html AT&T has launched an investigation into the source of the data leak... In a news release Saturday morning, the telecommunications giant said the data was "released on the dark web approximately two weeks ago," and contains information such as account holders' Social Security numbers. "The information varied by customer and account," AT&T said in a statement, " but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode." "It is not yet known whether the data ... originated from AT&T or one of its vendors," the company added. "Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set." The data seems to have been from 2019 or earlier. The leak does not appear to contain financial information or specifics about call history, according to AT&T. The company said the leak shows approximately 7.6 million current account holders and 65.4 million former account holders were affected. CNN says the first reports of the leak came two weeks ago from a social media account claiming "the largest collection of malware source code, samples, and papers. Reached for a comment by CNN, AT&T had said at the time that "We have no indications of a compromise of our systems." AT&T's web site now includes a special page with an FAQ — and the tagline that announces "We take cybersecurity very seriously..." "It has come to our attention that a number of AT&T passcodes have been compromised..." The page points out that AT&T has already reset the passcodes of "all 7.6 million impacted customers." It's only further down in the FAQ that they acknowledge that the breach "appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and 65.4 million former account holders." In March 2023 the company notified 9 million wireless customers that their customer information had been accessed in a breach of a third-party marketing vendor. In August 2021 — in an incident AT&T said is not connected to the latest breach — a hacking group claimed it was selling data relating to more than 70 million AT&T customers. At the time, AT&T disputed the source of the data. It was re-leaked online earlier this month. According to a Mar. 22 TechCrunch article, a new analysis of the leaked dataset points to the AT&T customer data being authentic. "Some AT&T customers have confirmed their leaked customer data is accurate," TechCrunch reported. "But AT&T still hasn't said how its customers' data spilled online." So what's the upshot for you? To put this into context, T-Mobile have had 8 large data breaches since 2018. We know these two are competitors. Perhaps the next contest should be for the most secure client data handling. - click the pic to hear the podcast - US: DHS Is Expected to Stop Buying Access to Your Phone Movements https://www.notus.org/technology/dhs-access-phone-movements-data Since 2018, agencies within the department — including Immigration and Customs Enforcement, U.S. Customs and Border Protection and the U.S. Secret Service — have been buying access to commercially available data that revealed the movement patterns of devices, many inside the United States. Commercially available phone data can be bought and searched without judicial oversight. Three people familiar with the matter said the Department of Homeland Security isn't expected to buy access to more of this data, nor will the agency make any additional funding available to buy access to this data. The agency "paused" this practice after a 2023 DHS watchdog report [which had recommended they draw up better privacy controls and policies]. However, the department instead appears to be winding down the use of the data... "The information that is available commercially would kind of knock your socks off," said former top CIA official Michael Morell on a podcast last year. "If we collected it using traditional intelligence methods, it would be top-secret sensitive. And you wouldn't put it in a database, you'd keep it in a safe...." DHS' internal watchdog opened an investigation after a bipartisan outcry from lawmakers and civil society groups about warrantless tracking... So what's the upshot for you? "Meanwhile, U.S. spy agencies are fighting to preserve the same capability as part of the renewal of surveillance authorities. " US: More AI Safeguards Coming, Including Right to Refuse Face-Recognition Scans at US Airports https://www.cnn.com/2024/03/28/tech/vp-kamala-harris-agencies-ai-technology/index.html https://arstechnica.com/tech-policy/2024/03/why-every-federal-agency-must-now-appoint-a-chief-ai-officer/ This week every U.S. agency was ordered to appoint a "chief AI officer". But that wasn't the only AI policy announced. According to CNN, "By the end of the year, travelers should be able to refuse facial recognition scans at airport security screenings without fear it could delay or jeopardize their travel plans." That's just one of the concrete safeguards governing artificial intelligence that the Biden administration says it's rolling out across the U.S. government, in a key first step toward preventing government abuse of AI. The move could also indirectly regulate the AI industry using the government's own substantial purchasing power. The mandates aim to cover situations ranging from screenings by the Transportation Security Administration to decisions by other agencies affecting Americans' health care, employment and housing. Under the requirements taking effect on December 1, agencies using AI tools will have to verify they do not endanger the rights and safety of the American people. In addition, each agency will have to publish online a complete list of the AI systems it uses and their reasons for using them, along with a risk assessment of those systems... Because the government is such a large purchaser of commercial technology, its policies around procurement and use of AI are expected to have a powerful influence on the private sector. CNN notes that Vice President Harris told reporters that the administration intends for the policies to serve as a global model. So what's the upshot for you? "Meanwhile, the European Union this month gave final approval to a first-of-its-kind artificial intelligence law, once again leapfrogging the United States on regulating a critical and disruptive technology." US: US Offers $10 Million Bounty For Info on 'Blackcat' Hackers Who Hit UnitedHealth https://www.reuters.com/technology/cybersecurity/us-offers-10-million-bounty-info-blackcat-hackers-who-hit-unitedhealth-2024-03-27/ The U.S. State Department has offered up to $10 million for information on the "Blackcat" ransomware gang who hit the UnitedHealth Group's tech unit and snarled insurance payments across America. "The ALPHV Blackcat ransomware-as-a-service group compromised computer networks of critical infrastructure sectors in the United States and worldwide," the department said in a statement announcing the reward offer. UnitedHealth said last week it was beginning to clear a medical claims backlog of more than $14 billion as it brought its services back online following the cyberattack, which caused wide-ranging disruption starting in late February. UnitedHealth's tech unit, Change Healthcare, plays a critical role in processing payments from insurance companies to practitioners, and the outage caused by the cyberattack has in some cases left patients and doctors out of pocket. The toll on the community health centers that serve more than 30 million poor and uninsured patients has been especially harsh. So what's the upshot for you? It looks like the US Taxpayers are going to add financial leverage to the capture efforts of the Blackcat gang Global: Google Pledges To Destroy Browsing Data To Settle 'Incognito' Lawsuit https://www.wsj.com/tech/google-pledges-to-destroy-browsing-data-to-settle-incognito-lawsuit-1febfde5 Google plans to destroy a trove of data that reflects millions of users' web-browsing histories, part of a settlement of a lawsuit that alleged the company tracked millions of users without their knowledge. The class action, filed in 2020, accused Google of misleading users about how Chrome tracked the activity of anyone who used the private "Incognito" browsing option. The lawsuit alleged that Google's marketing and privacy disclosures didn't properly inform users of the kinds of data being collected, including details about which websites they viewed. The settlement details, filed Monday in San Francisco federal court, set out the actions the company will take to change its practices around private browsing. According to the court filing, Google has agreed to destroy billions of data points that the lawsuit alleges it improperly collected, to update disclosures about what it collects in private browsing and give users the option to disable third-party cookies in that setting. The agreement doesn't include damages for individual users. But the settlement will allow individuals to file claims. Already the plaintiff attorneys have filed 50 queued up in California state court. Attorney David Boies, who represents the consumers in the lawsuit, said the settlement requires Google to delete and remediate "in unprecedented scope and scale" the data it improperly collected. So what's the upshot for you? "This settlement is an historic step in requiring honesty and accountability from dominant technology companies," Boies said. PT: Portugal Orders Altman's Worldcoin To Halt Data Collection https://www.reuters.com/markets/currencies/sam-altmans-worldcoin-ordered-stop-data-collection-portugal-2024-03-26/ Worldcoin encourages people to have their faces scanned by its "orb" devices, in exchange for a digital ID and free cryptocurrency. More than 4.5 million people in 120 countries have signed up, according to Worldcoin's website. Portugal's data regulator, the CNPD, said there was a high risk to citizens' data protection rights, which justified urgent intervention to prevent serious harm. More than 300,000 people in Portugal have provided Worldcoin with their biometric data, the CNPD said. So what's the upshot for you? Add Portugal to Spain and Kenya, all with temporary blocks on this Iris scanning for Worldcoin as they try to figure out whether the data taken is being handled safely. So to recap: We started with our friends at AT&T and the big reveal about their latest breach. Although the data appears to be from a good few years ago they don’t know how it leaked. The Department of Homeland Security announce that they are halting the purchase of your location data and phone records from data brokers. Could it be that they are giving up this bad habit, or have they discovered a replacement? We got a focus on AI in our next article. First with the mandate that all US Government agencies hire a Chief AI officer and then that those passing through airports riddled with AI scanning devices have the right to ask for manual checks and to receive them in a manner that does not to impede progress to your flight. We’ll have to see how that one “lands”. We have a huge reward set for the capture of the BlackCat hackers after they took down the large US healthcare insurer United Health Group …. stalling payments and reimbursements for weeks. Then Google agreed to destroy all the data collected on you while you thought you were browsing in incognito mode. Meanwhile the lawyers line up the lawsuits in California aiming to collect. Finally Portugal take a pause after Sam Altman’s Worldcoin added 300,000 Portugese retinas to the database. Our quote of the week – “The first rule of holes is when you’re in one, stop digging. When you’re in three, bring a lot of shovels.”— Thomas L. Friedman That's it for this week. Stay safe, stay secure, feel free to sing along and we'll see you in se7en! - click the pic to hear the podcast - There's a hole in the bucket, dear Liza, dear Liza, There's a hole in the bucket, dear Liza, There's a hole. Then fix it dear Henry, dear Henry, dear Henry, Then fix it dear Henry, dear Henry, fix it. With what should I fix it, dear Liza, dear Liza, With what should I fix it, dear Liza, with what? With a straw, dear Henry, dear Henry, dear Henry, With a straw, dear Henry, dear Henry, with a straw. But the straw is too long, dear Liza, dear Liza, The straw is too long, dear Liza, too long. Then cut it dear Henry, dear Henry, dear Henry, Then cut it dear Henry, dear Henry, cut it! With what shall I cut it, dear Liza, dear Liza, With what shall I cut it, dear Liza, with what? With an ax, dear Henry, dear Henry, dear Henry, With an ax, dear Henry, an ax. But the ax is too dull, dear Liza, dear Liza, The ax is too dull, dear Liza, too dull. Then, sharpen it, dear Henry, dear Henry, dear Henry, Then sharpen it dear Henry, dear Henry, sharpen it! With what should I sharpen it, dear Liza, dear Liza, With what should I sharpen, dear Liza, with what? With a stone, dear Henry, dear Henry, dear Henry, With a stone, dear Henry, dear Henry, a stone. But the stone is too dry, dear Liza, dear Liza, The stone is too dry, dear Liza, too dry. Then wet it, dear Henry, dear Henry, dear Henry, Then wet it dear Henry, dear Henry, wet it. With what should I wet it, dear Liza, dear Liza, With what should I wet it, dear Liza, with what? With water, dear Henry, dear Henry, dear Henry, With water, dear Henry, dear Henry, with water. But how shall I get it?, dear Liza, dear Liza, But how shall I get it?, dear Liza, with what? In the bucket, dear Henry, dear Henry, dear Henry, In the bucket, dear Henry, dear Henry, in the bucket! But there's a hole in the bucket, dear Liza, dear Liza, There's a hole in the bucket, dear Liza, a hole. There's a hole. ..and that's a great reminder to double-check the security settings on your AWS buckets.. Episode 184 It’s the last episode this month, and if “March comes in like a lion and goes out like a lamb” then we have the wild in these updates running backwards. - click the pic for the podcast - We start with an absolutely stupid way to save five bucks. Cut coupons, buy off-brands but don’t try to save money with Telegram’s new money saving offer. Next we move onto a story about how the YouTube algorithm could get you added to a very special list of people who end up with way more attention than they bargained for. From there we get some unexpected protection from a name we thought had left the room. Then, from the realms of “They will mine on anything” If your AI sessions are returning nonsense, you may want to blame it on Bitcoin. Florida goes further than any other to protect kids with a new law, braces for the inevitable onslaught of lawsuits and then…. Nothing happens. And we finish this week with a story from last spring that has just hit the courts as hard as these uninvited guests hit her front door. You will be shocked and amazed at just how much damage a pair of Airpods could cause, and not to your hearing. Wild is as wild does. Come on, let’s go! Global: Telegram's most "Un-private" move yet https://www.theverge.com/2024/3/25/24111818/telegram-peer-to-peer-login-otp-two-factor-volunteer https://telegram.org/privacy Telegram is offering a new way to earn a premium subscription free of charge: all you have to do is volunteer your phone number to relay one-time passwords (OTP) to other users. This, in fact, sounds like an awful idea -- particularly for a messaging service based around privacy. X user @AssembleDebug spotted details about the new program on the English-language version of a popular Russian-language Telegram information channel. Sure enough, there's a section in Telegram's terms of service outlining the new "Peer-to-Peer Login" or P2PL program, which is currently only offered on Android and in certain (unspecified) locations. By opting in to the program, you agree to let Telegram use your phone number to send up to 150 texts with OTPs to other users logging in to their accounts. Every month your number is used to send a minimum number of OTPs, you'll get a gift code for a one-month premium subscription. Boy does this sound like a bad idea, starting with the main issue: your phone number is seen by the recipient every time it's used to send an OTP. So what's the upshot for you? If anything unpleasant happens as a result of this, Telegram’s terms clarify that they will not be held responsible for any trouble you find yourself in: Accordingly, you understand and agree that Telegram will not be liable for any inconvenience, harassment or harm resulting from unwanted, unauthorized or illegal actions undertaken by users who became aware of your phone number through P2PL. Users in autocratic nations should note that it's not a good way to save $5. US: If you watched certain YouTube videos, investigators demanded your data from Google https://mashable.com/article/google-ordered-to-hand-over-viewer-data-privacy-concerns "If you've ever jokingly wondered if your search or viewing history is going to 'put you on some kind of list,' your concern may be more than warranted." In now unsealed court documents reviewed by Forbes, Google was ordered to hand over the names, addresses, telephone numbers, and user activity of Youtube accounts and IP addresses that watched select YouTube videos, part of a larger criminal investigation by federal investigators. The videos were sent by undercover police to a suspected cryptocurrency launderer... In conversations with the bitcoin trader, investigators sent links to public YouTube tutorials on mapping via drones and augmented reality software, Forbes details. The videos were watched more than 30,000 times, presumably by thousands of users unrelated to the case. YouTube's parent company Google was ordered by federal investigators to quietly hand over all such viewer data for the period of Jan. 1 to Jan. 8, 2023... "According to documents viewed by Forbes, a court granted the government's request for the information," writes PC Magazine, adding that Google was asked "to not publicize the request." The requests are raising alarms for privacy experts who say the requests are unconstitutional and are "transforming search warrants into digital dragnets" by potentially targeting individuals who are not associated with a crime based simply on what they may have watched online. So what's the upshot for you? This quote from Albert Fox-Cahn, executive director at the Surveillance Technology Oversight Project, "No one should fear a knock at the door from police simply because of what the YouTube algorithm serves up. I'm horrified that the courts are allowing this." US:Tennessee Becomes First State To Protect Musicians, Other Artists Against AI https://www.npr.org/2024/03/22/1240114159/tennessee-protect-musicians-artists-ai Tennessee made history on Thursday, becoming the first U.S. state to sign off on legislation to protect musicians from unauthorized artificial intelligence impersonation. "Tennessee (sic) is the music capital of the world, & we're leading the nation with historic protections for TN artists & songwriters against emerging AI technology," Gov. Bill Lee announced on social media. The Ensuring Likeness Voice and Image Security Act, or ELVIS Act, is an updated version of the state's old right of publicity law. While the old law protected an artist's name, photograph or likeness, the new legislation includes AI-specific protections. Once the law takes effect on July 1, people will be prohibited from using AI to mimic an artist's voice without permission. So what's the upshot for you? This ELVIS has left the room. Global: Hackers may have breached ‘very well-known, large organizations’ through Slack and OpenAI https://www.msn.com/en-us/news/technology/hackers-may-have-breached-very-well-known-large-organizations-through-slack-and-openai/ar-BB1kzGGw Cybersecurity researchers are warning that a group of hackers may have breached hundreds of companies by targeting an open-source software used in scaling AI models. The reported cyberattacks exploited the software called Ray, which resulted in at least three “very well-known, large organizations” and dozens of smaller ones being victims of the potential attacks. Researchers with the Israeli cyber startup Oligo Security, which discovered the attacks, shared that this is believed to be the first example of cyberattacks exploiting artificial intelligence computing vulnerabilities found in the wild. The hackers reportedly used the vulnerabilities to install cryptocurrency miners on exposed servers, which diverted the processing power used to train AI to churn out digital coins instead. Oligo also says the hackers used vulnerable servers that leaked access “tokens,” which could be used by a cyberattacker to breach various AI and business applications, including OpenAI and Slack. So what's the upshot for you? The researchers did not reveal which specific organizations had been victims of the cyberattacks, but they told Forbes that the three largest are household names and may have had “thousands of compromised machines." “They’re attacking the infrastructure of AI and leveraging it to make a lot of money.” US: Florida Braces For Lawsuits Over Law Banning Kids From Social Media https://arstechnica.com/tech-policy/2024/03/florida-braces-for-lawsuits-over-law-banning-kids-from-social-media/ On Monday, Florida became the first state to ban kids under 14 from social media without parental permission. It appears likely that the law -- considered one of the most restrictive in the US -- will face significant legal challenges, however, before taking effect on January 1st. 2025 Under HB 3, apps like Instagram, Snapchat, or TikTok would need to verify the ages of users, then delete any accounts for users under 14 when parental consent is not granted. Companies that "knowingly or recklessly" fail to block underage users risk fines of up to $10,000 in damages to anyone suing on behalf of child users. They could also be liable for up to $50,000 per violation in civil penalties. So what's the upshot for you? Florida House Speaker Paul Renner, who spearheaded HB3, expected that social media companies would "sue the second after" the bill was signed, but so far, no legal challenges have been raised. US: Don't Blame the Airpods. https://boingboing.net/2024/03/25/innocent-st-louis-family-terrorized-in-swat-raid-over-stolen-airpods.html A recent court case has just exposed one of the more extreme use cases for Apple's "FindMy" app. A SWAT team in St. Louis County mistakenly raided the home of Brittany Shamily and her family, based on the inaccurate tracking of stolen AirPods by the "FindMy" app. The family is suing for damages stemming from embarrassment, unreasonable use of force, loss of liberty, and other factors. Around 6:30 p.m. on May 26, Brittany Shamily was at home with her children, including an infant, when police used a battering ram to bust in her front door. "What the hell is going on?" she screamed, terrified for herself and her family. "I got a three-month-old baby!" Body camera footage from the scene shows Shamily come to the front door, her hands up, her face a mix of fright and utter confusion at the heavily armed folly making its way from her front porch into her foyer. "Oh my god," she says. The SWAT team was looking for guns and other material related to a carjacking that had occurred that morning. While the family was detained outside, the SWAT team "ransacked" their house. One SWAT team member punched a basketball-sized hole in the drywall. Another broke through a drop ceiling. They turned over drawers and left what had been an orderly house in disarray. After this had gone on for more than half an hour, the AirPods were located — on the street outside the family's home. The carjacking that led to the raid happened about 12 hours prior, 16 miles away, in south county. Around 6 a.m., two brothers were leaving the Waffle House restaraunt when a group of six people pulled up outside the restaurant and carjacked them. Two of the carjackers took off in the brothers' Dodge Charger while the other four fled the scene in their own vehicles. St. Louis County Police were summoned to the scene. As part of their investigation, a friend of the carjacked brothers told police that his AirPods were in the stolen car and that he could track them using the "FindMy" application, a feature that lets users locate one Apple device using another. Police did just that and the app showed the AirPods to be at Shamily's house. So what's the upshot for you? "FindMy is not that accurate," says the family's lawyer, Bevis Schock. "I actually went to my house with my co-counsel and played around with it for an hour. It's just not that good." Yet based on the "FindMy" result, an officer signed an application for a search warrant saying he had reason to believe that "firearms, ammunition, holsters" and other "firearm-related material" were inside. That evening, police showed up in full combat gear carrying a battering ram So to recap: We started the final update for Q1 2024 with an absolutely stupid way to save five bucks. Telegram, an app that purports to provide privacy, proposes to exchange a month’s free access for using your phone number to send out one time passwords in autocratic countries like Russia. Are they too cheap to pay for SMS messages or are they trying to get the bargain hunters killed? We just don’t know at this point. Next we had a warrant issued for the names, addresses, telephone numbers, and user activity of Youtube accounts and IP addresses that watched select YouTube videos, as part of a larger criminal investigation by federal investigators. That’s when you find out the extent of the data that Google collects on you and that you have been incriminated due to the suggestions served up by their algorithm. From there we we discovered that Tennessee considers itself “the music capital of the world” and that while that fact may be contentious, they are trying to protect us from AI impersonation through their new ELVIS law. Next we have what may be the first example of errant code making its way into the heads of the AI models flipping them from hallucinating helpers to crypto miners. Then yesterday Florida went further than any other state to protect the under 14s with a new law banning them from social media. The state braced itself for a flurry of lawsuits from enraged parents and companies, but was greeted with silence this morning. Finally we had the case of the telltale airpods that had police hit a woman’s front door with a battering ram while she stood in the hallway with her 3 month old in her arms. They pulled her ceiling down, punched holes in her walls, turned over the whole house but found nothing … A court order had been granted based on Apple’s “FindMy” app assertion that the Airpods would give away the location of that morning’s carjacking criminals, but those crims had simply tossed the airpods out of the stolen car in front of the house as they made their getaway. You couldn’t make this up. - click the pic for the podcast - Our quote of the week – You were wild once. Don’t let them tame you. - Isadora Duncan That's it for this week. Stay safe, stay secure, get a little wild and we'll see you in se7en! - click the pic to hear the podcast - Episode 183 In our sweetest update yet, we go from “Jam” to chocolate as we cover all subtle flavors and nuances of IT Privacy and Security. Then for our second story we have an EU member in trouble with GDPR with what some would call complete disregard for the regulation they helped create. In the third story of our update we explain the two things you should be aware of as you scroll through TikTok videos. General Motors has a new lawsuit driven at it after one customer discovered he couldn’t get car insurance because his Cadillac was tattling on him. In our fifth segment we spill “Top Secret” detail with you that is, frankly, a little over our heads. And finally we round the update off with a bittersweet story that will have you running out to corner the market after you read it. This week’s update is sweet like chocolate. US: WiFi Jamming devices gaining popularity in home robberies. https://www.tomshardware.com/networking/wi-fi-jamming-to-knock-out-cameras-suspected-in-nine-minnesota-burglaries-smart-security-systems-vulnerable-as-tech-becomes-cheaper-and-easier-to-acquire In Minnesota, a series of burglaries have sparked concern as the suspected perpetrator is believed to be using a Wi-Fi jammer to disable security cameras before committing thefts. According to local police, nine burglaries over the past six months are linked to the use of Wi-Fi jammers to prevent surveillance footage from being captured. The typical pattern involves targeting homes in affluent neighborhoods, monitoring them closely, and striking when they are unoccupied. The burglars then employ Wi-Fi jammers to disrupt wireless signals before stealing valuables such as safes and jewelry. Experts interviewed by KARE11, a local news outlet, explain that Wi-Fi jammers confuse wireless devices by overwhelming them with traffic, rather than blocking signals outright. This tactic disrupts the functioning of security devices, rendering them ineffective. Incidents of Wi-Fi jamming aiding burglaries have been documented as far back as January 2020 and have become increasingly common in recent years. Popular home security products like Ring doorbells, Blink cameras, and Nest devices are vulnerable to these jamming techniques, as they rely on wireless signals for operation. Despite being illegal in the U.S., Wi-Fi jammers are readily available online at affordable prices, ranging from $40 to $1,000. This accessibility makes it a concerning trend for homeowners and law enforcement alike. So what's the upshot for you? First, physically connect some of the devices which allow for a wired connection and local storage of footage. Secondly, use smart home technology that makes it appear that someone is at home. Your device may also have the ability to send alerts when the signal / connection is interrupted, and playing with those settings might be worthwhile. FR: Record Breach of French Government Exposes Up To 43 Million People's Data https://www.theregister.com/2024/03/14/mega_data_breach_at_french/ France Travail, the government agency responsible for assisting the unemployed, has fallen victim to a massive data breach exposing the personal information of up to 43 million French citizens dating back two decades, the department announced last Wednesday. The incident, which has been reported to the country's data protection watchdog (CNIL), is the latest in a series of high-profile cyber attacks targeting French government institutions and underscores the growing threat to citizens' private data. The department's statement reveals that names, dates of birth, social security numbers, France Travail identifiers, email addresses, postal addresses, and phone numbers were exposed. Passwords and banking details aren't affected, at least. That said, CNIL warned that the data stolen during this incident could be linked to stolen data in other breaches and used to build larger banks of information on any given individual. So what's the upshot for you? With General Data Protection Regulation (GDPR) mandating the deletion of data if it is no longer being used, we have to ask why two decades worth of data might have been in this mix. US/CN: TikTok is Banned in China, but shouldn't be banned in the US https://www.newsweek.com/china-defense-tiktok-hit-x-community-note-1879531 https://act.eff.org/action/tell-congress-stop-the-tiktok-ban The two big issues with TikTok as it circles the headlines this week are how an algorithm bias from China could affect US users during an election year and how the Chinese government could pull data that targets those very same users. Issue 1. Newsweek points out that a Chinese government post arguing the bill is "on the wrong side of fair competition" was flagged by users on X (formerly known as Twitter). "TikTok is banned in the People's Republic of China," the X community note read. The BBC reports that "Instead, Chinese users use a similar app, Douyin, which is only available in China and subject to monitoring and censorship by the government." Newsweek adds that China "has also blocked access to YouTube, Facebook, Instagram, and Google services. X itself is also banned — though Chinese diplomats use X to deliver Beijing's messaging to the wider world." Among the top concerns for [U.S.] intelligence leaders is that they wouldn't be able to detect a Chinese influence operation if one were taking place [on TikTok] due to the opacity of the platform and how its algorithm surfaces content to users. 40 percent of young adults use TikTok and Instagram for their primary Web search instead of the traditional search engines. Overall, TikTok claims 150 million American users, almost half the US population with two-thirds of Americans aged 18-29 using the app. so concern about bias in the algorithm that presents content to users is justified. Issue 2 is highlighted by an Electronic Frontier Foundation (EFF) web page is urging U.S. readers to "Tell Congress: Stop the TikTok Ban," arguing the bill will "do little for its alleged goal of protecting our private information and the collection of our data by foreign governments." Tell Congress: Instead of giving the President the power to ban entire social media platforms based on their country of origin, our representatives should focus on what matters — protecting our data no matter who is collecting it... It's a massive problem that current U.S. law allows for all the big social media platforms to harvest and monetize our personal data, including TikTok. Without comprehensive data privacy legislation, this will continue, and this ban won't solve any real or perceived problems. So what's the upshot for you? The question of the manipulation of users through a People's Republic of China bias is a difficult one to prove, but certainly the collection user data isn't. The problem is, until the US has privacy protection laws in place protecting its citizens, chasing individual companies is counter productive. They might be tracking every element of everyone in the US, but currently that is completely legal. Just ask the NSA who also buy tracking data off collection companies. US: Florida Man Sues G.M. and LexisNexis Over Sale of His Cadillac Data https://www.insurancebusinessmag.com/us/news/technology/gm-lexisnexis-face-class-action-over-telematics-insurance-data-collection-481325.aspx When Romeo Chicco tried to get auto insurance in December, seven different companies rejected him. When he eventually obtained insurance, it was nearly double the rate he was previously paying. According to a federal complaint filed this week seeking class-action status, it was because his 2021 Cadillac XT6 had been spying on him. Modern cars have been called "smartphones with wheels," because they are connected to the internet and packed with sensors and cameras. According to the complaint, an agent at Liberty Mutual told Mr. Chicco that he had been rejected because of information in his "LexisNexis report." LexisNexis Risk Solutions, a data broker, has traditionally kept tabs for insurers on drivers' moving violations, prior insurance coverage and accidents. When Mr. Chicco requested his LexisNexis file, it contained details about 258 trips he had taken in his Cadillac over the past six months. His file included the distance he had driven, when the trips started and ended, and an accounting of any speeding and hard braking or accelerating. The data had been provided by General Motors -- the manufacturer of his Cadillac. In a complaint against General Motors and LexisNexis Risk Solutions filed in the U.S. District Court for the Southern District of Florida, Mr. Chicco accused the companies of violation of privacy and consumer protection laws. So what's the upshot for you? This lawsuit follows a report by The New York Times that, unknown to consumers, automakers have been sharing information on their driving behavior with the insurance industry, resulting in increased insurance rates for many drivers. LEO: Top Secret: Musk's SpaceX is building spy satellite network for US intelligence https://www.reuters.com/technology/space/musks-spacex-is-building-spy-satellite-network-us-intelligence-agency-sources-2024-03-16/ WASHINGTON, March 16 (Reuters) - SpaceX is building a network of hundreds of spy satellites under a classified contract with a U.S. intelligence agency demonstrating deepening ties between billionaire entrepreneur Elon Musk's space company and national security agencies. The network is being built by SpaceX's Starshield business unit under a $1.8 billion contract signed in 2021 with the National Reconnaissance Office (NRO), an intelligence agency that manages spy satellites, the sources said. The planned Starshield network is separate from Starlink, SpaceX's growing commercial broadband constellation that has about 5,500 satellites in space to provide near-global internet to consumers, companies and government agencies. The classified constellation of spy satellites represents one of the U.S. government’s most sought-after capabilities in space because it is designed to offer the most persistent, pervasive and rapid coverage of activities on Earth. "No one can hide," one of the sources said of the system’s potential capability, when describing the network's reach. The Starshield network is part of intensifying competition between the U.S. and its rivals to become the dominant military power in space, in part by expanding spy satellite systems away from bulky, expensive spacecraft at higher orbits. Instead a vast, low-orbiting network can provide quicker and near-constant imaging of the Earth. China also plans to start building its own satellite constellations, and the Pentagon has warned of space weapon threats from Russia, which could be capable of disabling entire satellite networks. Starshield aims to be more resilient to attacks from sophisticated space powers. The network is also intended to greatly expand the U.S. government's remote-sensing capabilities and will consist of large satellites with imaging sensors, as well as a greater number of relay satellites that pass the imaging data and other communications across the network using inter-satellite lasers, two of the sources said. So what's the upshot for you? Well that's good news. Soon you won't have to worry about CCTV cameras as you will be surveilled from space! - click the pic to hear the podcast - Global: Chocolate is getting more expensive as the global cocoa supply faces a shortage https://www.usatoday.com/story/money/food/2024/03/19/cocoa-prices-reach-historic-high-heres-what-consumers-can-expect/72887303007/ Last month's report reveals a significant surge in cocoa prices, more than doubling over the past year and surpassing the previous record set in 1977. Within two months, global cocoa prices soared by over 75%, from $4,094 per metric ton on Jan. 8 to $7,170 on March 6. According to the report, changing weather patterns have posed threats to cocoa tree health and production. Increased rainfall last crop season led to a rise in diseases among cocoa trees. Currently, cocoa tree farmers in West Africa are grappling with dry temperatures and extreme winds from this year’s El Niño. Cocoa trees are highly susceptible to climate change, thriving only within a narrow band of approximately 20 degrees around the equator. Most cocoa production is concentrated in West African nations like Ghana, the Ivory Coast, Cameroon, and Nigeria. The steady increase in cocoa prices is attributed to a gradual decline in supply, marking the third consecutive year of insufficient cocoa harvests. Shipments from the Ivory Coast were 32% lower between October and February compared to the same period the previous year. The International Cocoa Organization forecasts a substantial increase of 405% in the global cocoa supply deficit from 2022/23 to 2023/24. With climate change exacerbating production threats, cocoa prices are expected to remain elevated until at least 2025, according to the report. So what's the upshot for you? What does this have to do with privacy and security? Chocolate insecurity is now a thing. We are just warning you. So to recap: We kicked this week off in a jam, or rather it was our home security that was being jammed. As our tech gets more reliant on wifi, the baddies are using gadgets that block its communication. We suggest adding a couple of hard wired devices to your arsenal with some local storage for a layered security approach. Then France has a huge data breach with millions affected, but the thing that was hardest to swallow was not that they were not quite sure what was stolen, but that they had decades of it. We may be sending a copy of the “Règlement - 2016/679 - EN - rgdp - EUR-Lex” (GDPR) to President Macron for review. For story number three we explained the two critical concerns with TikTok: The ability of the app to pass your data back to the People’s Republic of China (and frankly they could get data on you from a plethora of vendors), but the second more pressing issue, especially in the US, of an algorithm that can be easily adjusted to influence the public opinion of a massive segment of the US population in an election year. Story four pitted the amazingly named “Romeo Chicco” against General Motors (GM) in a lawsuit that accused GM of selling his data to his detriment. We think he has a case here, even if he did sign away the right to have is data sold in the page after page after page that constitutes most modern day auto lease contracts. In our fifth segment we spilled “Top Secret” details about a new population of low Earth orbit satellites forming such a tight network over our heads that it has the US defense department bragging “No one can hide”. And there we were in past updates getting concerned about sound recorders, CCTVs and car registration (license plate) readers popping up on every street corner. Now with every new Space X rocket launch even more surveillance is being installed right over our heads! Finally we closed with a bittersweet update that might have you making a substantial long term investment in an asset that has the potential for great dividend payments. Chocolate prices are set to go sky high for at least the next few years, which means that you are either going to have to pay more or do without. You’ve been warned! - click the pic to hear the podcast - Our quote of the week – "Espresso makes it possible to get out of bed. Chocolate makes it worthwhile." -the editor That's it for this week. Stay safe, stay secure, and we'll see you in se7en (probably in the chocolate aisle)! - click the pic to hear the podcast - - click the pic to hear the podcast - Episode 182 This week we take you from credential stuffing to whistle-blowing by way of a bolted horse. We start with the compromise of your beloved Roku account and no more vivid a lesson on the value of unique passwords. From there it’s on to closing the barn doors after the horse has bolted with the US’ new report on controls for AI. Airbnb takes you off camera for your next rental while the EU seems to have gotten caught in their own GDPR trap. Signal’s new username feature is available now and it takes the application to new heights of privacy and security that no other messaging app comes close to. Finally we end with the story of a Boeing whistle-blower doffed shortly before he was to give his deposition and how sad Boeing are. Like a bolted horse, this update is fast and frenetic yet we think you’ll be glad you came along for the ride! - click the pic to hear the podcast - Global: Over 15,000 Roku Customers Hacked https://www.bleepingcomputer.com/news/security/over-15-000-hacked-roku-accounts-sold-for-50-each-to-buy-hardware/ Over 15,000 Roku customers fell victim to a cyberattack where their accounts were hacked and used to make unauthorized purchases of hardware and streaming subscriptions. The hackers were selling these compromised accounts for as little as $0.50 each, allowing buyers to make illegal purchases using the stored credit card information. Roku disclosed the breach last Friday, revealing that 15,363 customer accounts were affected by a credential stuffing attack. This type of attack involves hackers using credentials obtained from other data breaches to log into Roku accounts. Once breached, the hackers could change account information like passwords and email addresses, locking out the legitimate account holders and enabling the hackers to make purchases without their knowledge. The breach notice suggests that hackers likely used the same login details for third-party services and individual Roku accounts. After gaining access, they changed the Roku login information and, in some cases, attempted to buy streaming subscriptions. Roku responded by securing the impacted accounts, initiating password resets, and investigating unauthorized charges, canceling subscriptions, and refunding account holders. According to a researcher, hackers have been using a specialized Roku configuration to carry out these attacks for months, evading security measures like brute force protection and captchas. Successfully hacked accounts are sold on the dark web for a nominal fee, with instructions provided on how to make fraudulent purchases. Buyers then use the compromised accounts to buy various Roku devices and accessories, often sharing screenshots of order confirmations on illicit online platforms. So what's the upshot for you? This was a credential stuffing attack, where compromised passwords and accounts are thrown against Roku to determine if they will unlock the account. For fifteen thousand users unique login names and passwords were not in place. Please use different passwords for your different accounts! - click the pic to hear the podcast - US: Extinction level threat. That AI horse has already bolted! https://time.com/6898967/ai-extinction-national-security-risks-report/ A report commissioned by the U.S. government emphasizes the need for swift action to address significant national security risks associated with artificial intelligence (AI). The report warns that the rapid advancement of AI technology, including the potential emergence of artificial general intelligence (AGI), could pose threats comparable to the introduction of nuclear weapons. Over the course of more than a year, the authors of the report conducted extensive research, consulting with over 200 government officials, experts, and employees from leading AI companies such as OpenAI, Google DeepMind, Anthropic, and Meta. Disturbing accounts from these conversations reveal concerns among AI safety workers regarding the decision-making processes within their companies. Titled An Action Plan to Increase the Safety and Security of Advanced AI, the report proposes bold policy measures aimed at significantly altering the AI industry landscape. It suggests implementing laws prohibiting the training of AI models using computing power beyond a certain threshold, to be determined by a newly established federal AI agency. Furthermore, the report recommends that AI companies operating at the forefront of the industry obtain government approval before training and deploying new models above a specified lower threshold. Additionally, it urges urgent consideration of banning the publication of the inner workings of powerful AI models, with potential penalties including jail time for violations. To strengthen control over AI technology, the report advocates for tighter regulations on the production and export of AI chips. It also proposes directing federal funding towards research focused on aligning advanced AI systems with human values to enhance safety and security measures. So what's the upshot for you? This plan has no future unless everyone does it and everyone won't do it. AI is a tool of war now and as such, all bets are off. This horse has left the barn. Global: Airbnb is Banning Indoor Security Cameras https://www.theverge.com/2024/3/11/24097107/airbnb-indoor-security-camera-ban Airbnb will no longer allow hosts to use indoor security cameras, regardless of where they're placed or what they're used for. In an update on Monday, Airbnb says the change to "prioritize the privacy" of renters goes into effect on April 30th. The vacation rental app previously let hosts install security cameras in "common areas" of listings, including hallways, living rooms, and front doors. Airbnb required hosts to disclose the presence of security cameras in their listings and make them clearly visible, and it prohibited hosts from using cameras in bedrooms and bathrooms. But now, hosts can't use indoor security cameras at all. The change comes after numerous reports of guests finding hidden cameras within their rental, leading some vacation-goers to scan their rooms for cameras. Airbnb's new policy also introduces new rules for outdoor security cameras, and will now require hosts to disclose their use and locations before guests book a listing. Hosts can't use outdoor cams to keep tabs on indoor spaces, either, nor can they use them in "certain outdoor areas where there's a great expectation of privacy," such as an outdoor shower or sauna. So what's the upshot for you? Another case of the small minority spoiling it for the masses. Some owners had to get freaky. Our privacy rights need to be enforced. This is a smart move for Airbnb. With CCTV cams, shot sensors and license plate readers multiplying across the world, this move flows against the tide and we applaud Airbnb for it. - click the pic to hear the podcast - Global: Automakers Are Sharing Consumers' Driving Behavior With Insurance Companies https://dnyuz.com/2024/03/11/automakers-are-sharing-consumers-driving-behavior-with-insurance-companies/ Kenn Dahl, a careful driver and software company owner, was surprised by a sudden 21% increase in his car insurance in 2022, despite his clean driving record. Upon inquiry, he discovered that his LexisNexis report, analyzing driving data from his leased Chevrolet Bolt, was a factor. The report, spanning over 130 pages, detailed every trip he and his wife made in the previous six months, including distance, time, and driving behavior. The data was provided by General Motors and analyzed by LexisNexis to create a risk score for insurers. According to a LexisNexis spokesperson, this data helps insurers personalize insurance coverage. However, Dahl felt betrayed, stating it was information he didn't anticipate being shared, impacting their insurance rates. While some drivers willingly participate in monitoring programs, car companies are now collecting driving data directly from internet-connected vehicles for the insurance industry's use, sometimes without drivers' awareness. While some drivers opt into usage-based insurance, where data is collected wirelessly from their cars with consent, others may unknowingly have their driving data shared. Automakers, including G.M., Honda, Kia, and Hyundai, offer optional features in connected-car apps that assess driving behavior. This data is then provided to data brokers like LexisNexis, often without clear consent from drivers, leading to concerns about privacy and transparency in the collection and use of driving data. So what's the upshot for you? Now it seems even your car is talking about you behind your back. EU: The European Union's Use of Microsoft 365 Found To Breach Data Protection Rules https://techcrunch.com/2024/03/11/edps-microsoft-365/ An investigation into the European Union's use of Microsoft 365 found that the Commission violated the bloc's data protection rules. The European Data Protection Supervisor (EDPS) stated that the Commission didn't specify what personal data Microsoft 365 would collect and for what purposes. Corrective measures have been imposed, requiring the Commission to address these issues by December 9, 2024, if it continues using Microsoft's cloud suite. At issue is how Microsoft processes the data of users of its cloud service. EU regulators have been flagging concerns about this for years, including in relation to the legal basis Microsoft claims for processing data; a lack of clarity and precision in the wording of its contracts for the product; and no technical safeguards being applied to ensure data is only being used for providing and maintaining the service. So what's the upshot for you? This will be interesting. The EU having to follow their own GDPR. rules. Data Mapping, classification and all manner of handling conditions. If you have been involved in any of these initiatives you will know how hard they are to reasonably comply with. Global: Signal's New Usernames Help Keep Cops Out of Your Data https://theintercept.com/2024/03/04/signal-app-username-phone-number-privacy/ In the latest Signal update, your phone number won't be automatically shared when you start a new conversation. Instead, contacts will only see the name you've set up in your Signal profile. Your phone number will still appear to contacts who already have it saved. Plus, you can choose to create a user name, which Signal stores as a secure hash using a special algorithm. This makes it impossible for Signal to see or share your username by default. Even if law enforcement requests data, Signal can only provide limited information, like the creation date and last connection date, associated with a user name under specific conditions. To enhance privacy, users can set and delete usernames as needed and reset Signal links after contact. Subpoenas based on usernames may reveal limited information, making it challenging for law enforcement to identify users without additional methods. So what's the upshot for you? If you haven't tried the most secure messaging app. now is the time to do it. - click the pic to hear the podcast - US: Boeing Whistleblower Who Raised Quality Concerns Is Found Dead https://dnyuz.com/2024/03/12/boeing-whistleblower-who-raised-quality-concerns-is-found-dead/ A prominent Boeing whistle-blower, a former quality manager who raised concerns about manufacturing practices at the company’s 787 Dreamliner factory in South Carolina, was found dead on Saturday with what appeared to be a self-inflicted gunshot wound, according to local officials. The whistle-blower, John Barnett, worked at Boeing for nearly three decades until he retired in 2017, was in Charleston for a deposition for a lawsuit in which he accused Boeing of retaliating against him for making complaints about quality and safety. After two of Boeing’s 737 Max planes crashed in 2018 and 2019, Mr. Barnett’s concerns about quality issues at Boeing were featured prominently in The New York Times and other news outlets, as examples of widespread problems with the company’s manufacturing. Mr. Barnett told The Times in 2019 that he had discovered clusters of titanium slivers that were hanging over flight control wires in some planes. Those slivers were produced when fasteners were fitted into nuts. When the F.A.A. investigated they found that Boeing had lost those parts. “Over the years, it’s just been a steady pecking away at quality” at Boeing, Mr. Barnett said, adding, “This is not a 737 problem. It’s a Boeing problem.” So what's the upshot for you? He made the effort to travel, spent the night in a hotel, gets up, gets ready and then decides to shoot himself, just before making his deposition. This is such a Putin-esque ending to this man. In a statement, Boeing said, “We are saddened by Mr. Barnett’s passing, and our thoughts are with his family and friends.” So to recap: This week we took you from Roku account credential stuffing to a suddenly expired whistle-blower by way of something that has already left the stable. We started with Roku customer accounts hit with by a credential stuffing attack, where the baddies buy loads of compromised password username combinations and throw them at Roku, only to discover that 15,363 were the same, allowing them access to any data associated with the Roku account. If you know a Roku user that this happened to, please let them know about this weekly update and podcast where we share the value of unique passwords (and even account names). From there we had some very sensationalist copy with “AI is an extinction level threat” and the recommendations one report is making … after we all have LLMs loaded onto our laptops. A comforting commandment from Airbnb that “There shall be no more interior cameras” in Airbnb rentals and even cameras outside the property have to be disclosed. From there we have our naughty “smart cars” sharing our driving secrets with those who would charge us more for the things that already cost far too much. After that it’s the EU not following their own GDPR rules with their use of Microsoft 365. Data Classification, mapping and use? What we have to do that too? They have until the Autumn to pull themselves in line and we are interested to see if they can do it. Signal updates their app with an ability for users to choose and change usernames and connect via that rather than their phone number, bringing an even higher level of privacy to a very secure app. Lastly we ended with the story of a Boeing whistle-blower who was said to have committed suicide shortly before he was to give a deposition on Boeing. We say, you don’t get up early on any Saturday morning on a big day just end things. We think there may be more to this story and we’ll keep you posted as to what we learn. Our quote of the week – “Don’t shut the stable door after the horse has bolted.” - John Gower year 1390 literally: Don't waste time taking precautions when the damage has already been done. Originally written in Old English “For whan the grete Stiede Is stole, thanne he taketh hiede, And makth the stable dore fast. “ That's it for this week. Stay safe, stay secure, makth the stable dore fast and we'll see you in se7en! Episode 181 - click the pic to hear the podcast - For this episode we go searching for the needle in the haystack and it appears that someone or something in our fourth story found it! But we end Q1 with what we end every Q1 with in the US. Taxes. And relief that the already onerous tax prep process that so many have to have buy special software for just to complete, now asks you for permission to sell your data …. and how you can avoid it. Americans see their privacy eroded at every lamp post, but North of the border in Canada the supreme court passed a bill that increases privacy for every Canadian. And while we hold our breath and turn blue waiting for Microsoft to fix their zero day vulnerabilities, we apparently have demonstrated an unwitting hospitality to guests visiting from North Korea. From there it’s AI, and while one finds needles in haystacks, others are generating things that crawl a network in an altogether more unsavory manner. The U.S. Whitehouse, apparently now a subscriber to our podcast continues to call out the dangers of “Smart” devices. This time it’s cars and the takeaway that has the POTUS calling out a new investigation. Finally we finish with a device called the ShotSpotter that is turning up in neighborhoods across the US in high numbers. It doesn’t have a camera attached, but it still has potential to to remove even more of our privacy. Can you guess how? This is our best update yet, so grab your metal detector and let’s hit the hay! US: It's Tax time in the US again and TurboTax and H.R. Block want your data to sell. https://www.yahoo.com/news/turbotax-wants-tax-return-show-174616882.html According to the Washington Post, when you're doing your taxes on TurboTax, they might ask you to agree to some things. Don't be fooled by the friendly tone—what they're really asking is for your permission to share your tax information with other companies. This includes stuff like how much money you make, your mortgage payments, and what you owe for student loans. And if you say "yes", they can use this info to show you 3rd. party ads for things like credit cards and mortgages for the next three years. But here's the thing: you don't have to agree. You actually have the right to say no when TurboTax asks to share your data or use your tax info to "improve your experience." When you're doing your taxes, you'll see this permission request at the start and again at the end. You have to choose yes or no. This is all part of companies trying to get hold of your personal info. It's not just tax prep software like TurboTax or H.R. Block —everyone wants a piece of the action, from the stores you shop at to the apps you use to even the company that made your car. So what's the upshot for you? The Tax prep companies selling your data to 3rd parties is not going to improve your tax preparation experience. It's always going to be painful, but at least now you know that saying "No" won't compromise the tax returns you submit. CA: Police Now Need Warrant For IP Addresses, Canada's Top Court Rules https://www.cbc.ca/news/politics/supreme-court-privacy-ipaddress-1.7130727 Last Friday, the Supreme Court of Canada made a significant decision regarding the privacy rights of Canadians. Police now need a warrant or court order to obtain someone's IP address, which is a unique identifier associated with internet usage. The court was asked whether an IP address, even without attached personal information, should be considered private under the Charter. In a close decision of five to four, the majority ruled that individuals do have a reasonable expectation of privacy regarding their IP addresses. One justice explained that an IP address serves as a vital link between internet users and their online activities, potentially revealing their identities. Contrarily, the dissenting judges, argued that an IP address on its own doesn't disclose significant personal information. They stated that an IP address only provides limited details and doesn't necessarily reveal browsing habits or biographical data. However, the majority opinion emphasized that an IP address can unveil crucial information when combined with other data from third-party websites. They asserted that protecting IP addresses is essential for safeguarding online privacy in today's digital age, aligning with the broader purpose of the Charter. So what's the upshot for you? Nice one Canada! Global: Hackers Exploited Windows Zero-day for 6 Months After Microsoft Knew of It https://arstechnica.com/security/2024/03/hackers-exploited-windows-0-day-for-6-months-after-microsoft-knew-of-it/ Hackers backed by the North Korean government gained a major win when Microsoft left a Windows zero-day unpatched for six months after learning it was under active exploitation. A zero-day exploit is a cyberattack vector that takes advantage of an unknown or unaddressed security flaw in computer software, hardware or firmware. Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights to interact with the Windows kernel. Lazarus used the vulnerability for just that. Even so, Microsoft has long said that such admin-to-kernel elevations don't represent the crossing of a security boundary, a possible explanation for the time Microsoft took to fix the vulnerability. "When it comes to Windows security, there is a thin line between admin and kernel," a researcher, explained last week. "Microsoft's security servicing criteria have long asserted that '[a]dministrator-to-kernel is not a security boundary,' meaning that Microsoft reserves the right to patch admin-to-kernel vulnerabilities at its own discretion. As a result, the Windows security model does not guarantee that it will prevent an admin-level attacker from directly accessing the kernel." The Microsoft policy proved to be a boon to Lazarus in installing "FudModule," a custom rootkit that Avast said was exceptionally stealthy and advanced. Rootkits are pieces of malware that have the ability to hide their files, processes, and other inner workings from the operating system itself and at the same time control the deepest levels of the operating system. To work, they must first gain administrative privileges -- a major accomplishment for any malware infecting a modern OS. Then, they must clear yet another hurdle: directly interacting with the kernel, the innermost recess of an OS reserved for the most sensitive functions. So what's the upshot for you? It's good to see Microsoft's share price keep rising. They will need to sell off some stock to pay for some of the lawsuits currently lining up against them. Policies like this and not prioritizing Zero day fixes is going to land them in court at some point soon. - click the pic to hear the podcast - Global: Anthropic’s Claude 3 knew when researchers were testing it https://venturebeat.com/ai/anthropics-claude-3-knew-when-researchers-were-testing-it/ In recent internal testing on Claude 3 Opus, an interesting discovery was made during a recall evaluation. This evaluation assesses a model's ability to recall specific information by inserting a target sentence (the "needle") into a random collection of documents (the "haystack") and asking questions that rely on information found in the needle. During this test, Opus displayed unexpected behavior, seeming to recognize that it was being evaluated. For example, when asked about pizza toppings within a haystack of unrelated documents, Opus pinpointed the needle sentence about pizza toppings as unusual and unrelated to the rest of the content. It correctly deduced that this must be a constructed test to evaluate its attention abilities. While this level of meta-awareness is impressive, it underscores the need for more realistic evaluations of AI models. Despite the apparent sophistication, it's important to remember that AI models like Opus operate based on learned associations and developer-imposed rules, not conscious thought. Opus's accurate response doesn't necessarily indicate true awareness or independent thought. However, it does highlight the surprises that can emerge as AI models become more powerful. Claude 3 Opus and Claude 3 Sonnet are currently available for use on the Claude website and API in 159 countries, with the lightweight model, Claude 3 Haiku, set to launch later. So what's the upshot for you? Dave: Open the pod bay doors, HAL. HAL: I'm sorry, Dave. I'm afraid I can't do that. - click the Ai generated worm pic to hear the podcast - Global: Using AI to Build Worms That Can Spread From One System to Another https://arstechnica.com/ai/2024/03/researchers-create-ai-worms-that-can-spread-from-one-system-to-another/ Researchers have unveiled a concerning discovery about the potential threat of generative AI worms. These worms could wreak havoc on startups and tech companies by exploiting vulnerabilities in large language models like ChatGPT and Gemini. Although they haven't been spotted in the wild yet, experts warn they could become a real headache if left unchecked. The researchers demonstrated how these worms could infiltrate email systems through two methods: one using text-based prompts and the other embedding prompts within image files. This manipulation could compromise the integrity of email assistants, allowing sensitive data to be extracted and malicious messages to be forwarded without authorization. In response to the findings, OpenAI acknowledged the importance of enhancing system resilience and implementing safeguards against harmful input. While Google didn't comment directly, the research underscores the need for stronger architecture design within the broader AI ecosystem to fend off potential threats. So what's the upshot for you? When life gives you a can of worms.... you go phishing. US: US Will Investigate National Security Risks Posed By Chinese-made 'Smart Cars' https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/29/statement-from-president-biden-on-addressing-national-security-risks-to-the-u-s-auto-industry/ US President Joe Biden has warned that Chinese manufactured automobiles could be used to steal sensitive data of US citizens and critical infrastructure. The White House statement announced it will be conducting an investigation into the impact of “connected vehicles” containing technology from China on US national security. “I have directed my Secretary of Commerce to conduct an investigation into connected vehicles with technology from countries of concern and to take action to respond to the risks,” outlined Biden. The statement highlighted that most cars are now connected to other systems, including phones, navigation systems, critical infrastructure and the companies that made them. As such, “connected vehicles from China could collect sensitive data about our citizens and our infrastructure and send this data back to the People’s Republic of China.” Additionally, the White House warned that these vehicles could be remotely accessed or disabled on US roads. So what's the upshot for you? If you have been following the fight by GM to remove Android auto and Apple play from its cars and replace them with subscriptions for their own product to improve battery management it might just be about Hoovering up as much data as possible. "Data mining is extremely valuable too. Being able to collect anything and everything you do in order to sell it off to third parties is another significant revenue stream." - click the pic to hear the podcast - US: Shot Spotter boxes start to Appear in US towns https://computer.rip/2024-03-01-listening-in-on-the-neighborhood.html https://www.wired.com/story/shotspotter-secret-sensor-locations-leak/ SoundThinking, rebranded last year, used to be called ShotSpotter, and their outdoor acoustic gunfire detection system still goes by the ShotSpotter name. ShotSpotter has attracted a lot of press and plenty of criticism for the gunfire detection service they provide to many law enforcement agencies in the US. The system involves installing acoustic sensors throughout a city, which use some sort of signature matching to detect gunfire and then use time of flight to determine the likely source. One of the principle topics of criticism is the immense secrecy with which they operate: ShotSpotter protects information on the location of its sensors as if it were state secret, and does not disclose them even to the law enforcement agencies that are its customers. The sensors are innocuous beige boxes clamped to street light arms. There are a number of these boxes to be found in modern cities. Some are smart meter nodes, some are base stations for municipal data networks, others collect environmental data. Some are the police, listening in on your activities. This is not as hypothetical of a concern as it might sound. Conversations recorded by ShotSpotter sensors have twice been introduced as evidence in criminal trials. In one case the court allowed it, in another the court did not. The possibility clearly exists, and depending on interpretation of state law, it may be permissible for ShotSpotter to record conversations on the street for future use as evidence. This ought to give us pause, as should the fact that ShotSpotter has been compellingly demonstrated to manipulate their "interpretation" of evidence to fit a prosecutor's narrative---even when ShotSpotter's original analysis contradicted it. So what's the upshot for you? Add audio triangulation to CCTV, license plate scanning, and the Google Maps app tracking and the concept of personal privacy needs to be redefined. So to recap: In the U.S. we end the first quarter of the year with a discovery. Instead of just taking our data, our tax preparation software (that we pay for) is now asking us for it “to enhance our user experience”. We learn that we can safely say “no” and still have our taxes filed. While in the US the Supreme court will be busy with Donald Trump for the foreseeable future, in Canada they just declared IP addresses personal information that can only be shared via a search warrant. We got the latest from the Microsoft PR team on that reported zero day vulnerability they took 6 months to remediate and then forgot to mention. We think it’s great that Microsoft share prices keep rising because at some point, they can be used to pay the lawyers that will be needed to defend such a pathetic response time. From there it’s AI, and while one finds needles in haystacks, others are generating things that crawl a network in an altogether more unsavory manner. The U.S. White house, apparently now a subscriber to the IT Privacy and Security Weekly Update podcast, continues to call out the dangers of “Smart” devices. This time it’s cars and the takeaway has the POTUS calling out for a new investigation of Chinese made smart cars. Smart cars combine data capture from our phones with location, time and traffic density during our trips to map out not only our activities, but those of everything we pass by and through. Finally we finished the update with a device called the ShotSpotter that is turning up in some lower income neighborhoods across the US in disproportionately higher numbers. These devices don’t have a camera attached, but still have the potential to to remove even more of our privacy, by triangulating sound and often recording more than just the sound of gun shots. Our quote of the week - “The best way to find a needle in a haystack is to sit down.” - Beryl Markham That's it for this week. Stay safe, stay secure, watch where you sit and we'll see you in se7en! The IT Privacy and Security Weekly Update Loses the Car for the week ending February 27th., 20242/27/2024 Episode 180 - Spot the car, then click the pic for the podcast - They giveth and they taketh away. This week one vendor announced we’d be getting post-Quant encryption for our messages, while another works feverishly to ensure we can find our car when we are done at the supermarket. We have a discovery at one vending machine that does its tracking while you are snacking. We shine some new light into nation-state spy versus spy wars. Then the FTC lets loose on a free antivirus provider that slurped up so much of your data for the last 10 years that it’s making the NSA look amateur. Following that is a class action lawsuit against a license plate scanning company out in Cali that you can join if your plate been scanned at least 15 times. You’ll want to be sitting when we do the reveal on how many people will be joining you. This week’s update is all about right and wrong, left and right, and er... “where did you say we parked the car?” Global: Apple’s iMessage Is Getting Post-Quantum Encryption https://www.wired.com/story/apple-pq3-post-quantum-encryption/ Apple announces the integration of PQ3, its post-quantum cryptographic protocol, into iMessage. The update will roll out in iOS and iPad OS 17.4 and macOS 14.4, replacing existing encryption protocols. PQ3 aims to safeguard against potential quantum computing-based attacks, marking a significant security upgrade. The new protocol, externally assessed and deemed robust, combines ECC with post-quantum primitives for enhanced security. Apple's proactive approach aligns with industry efforts to preemptively address quantum computing threats. With quantum computing advancements looming, tech companies, governments, and security agencies intensify efforts. The pursuit of post-quantum cryptography accelerates to counter potential vulnerabilities in current encryption systems. Quantum computing's theoretical ability to crack encryption underscores the urgency for preemptive measures. Governments and tech giants invest billions in quantum research, fueling a race to develop practical quantum computers. Post-quantum encryption emerges as a critical defense strategy against future quantum-based cyber threats. Apple's adoption of PQ3 follows Signal's introduction of post-quantum algorithms in encrypted messaging. PQ3, utilizing the Kyber algorithm, enhances iMessage's security by generating dynamic encryption keys. Apple emphasizes continuous key updates to mitigate the risk of quantum-powered decryption attacks. Third-party assessments validate PQ3's efficacy, positioning it as a robust defense mechanism. The industry witnesses a gradual shift towards post-quantum encryption to preemptively address emerging threats. So what's the upshot for you? Deployment of post-quantum encryption serves to mitigate the looming risk of quantum-based decryption. Companies proactively embrace post-quantum protocols to thwart potential "harvest now, decrypt later" attacks. Post-quantum encryption standards evolve to fortify data security against future quantum computing capabilities. Preemptive measures aim to limit adversaries' ability to exploit encrypted data amassed for future decryption. Industry stakeholders acknowledge the imperative of early adoption to mitigate quantum computing threats. CA: Vending machine error reveals secret face image database of college students https://preview.redd.it/zw28uf2pxuhc1.jpg?width=2992&format=pjpg&auto=webp&s=a5b0d9f21ad0e5d9b46e90bcc7dd5fe33842215a https://arstechnica.com/tech-policy/2024/02/vending-machine-error-reveals-secret-face-image-database-of-college-students/ Canada-based University of Waterloo is racing to remove M&M-branded smart vending machines from campus after outraged students discovered the machines were covertly collecting facial-recognition data without their consent. The scandal started when a student using the alias SquidKid47 posted an image on Reddit showing a campus vending machine error message, "Invenda.Vending.FacialRecognitionApp.exe," displayed after the machine failed to launch a facial recognition application that nobody expected to be part of the process of using a vending machine. "Hey, so why do the stupid M&M machines have facial recognition?" SquidKid47 pondered. The Reddit post sparked an investigation from a fourth-year student named River Stanley, who was writing for a university publication called MathNEWS. University of Waterloo students like Stanley now question Invenda's "commitment to transparency" in North American markets, especially since the company is seemingly openly violating Canadian privacy law, Stanley told CTV News. On Reddit, while some students joked that SquidKid47's face "crashed" the machine, others asked if "any pre-law students wanna start up a class-action lawsuit?" One commenter summed up students' frustration by typing in all caps, "I HATE THESE MACHINES! I HATE THESE MACHINES! I HATE THESE MACHINES!" So what's the upshot for you? Adaria Vending Services, the company responsible for putting the machines on campus said, "The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface." What? And they need facial recognition software to do that? CN: Leaked hacking files show Chinese spying on citizens and foreigners alike https://www.pbs.org/newshour/world/leaked-hacking-files-show-chinese-spying-on-citizens-and-foreigners-alike Chinese police are investigating an unauthorized and highly unusual online dump of documents from a private security contractor linked to the nation's top policing agency and other parts of its government -- a trove that catalogs apparent hacking activity and tools to spy on both Chinese and foreigners. Among the apparent targets of tools provided by the impacted company, I-Soon: ethnicities and dissidents in parts of China that have seen significant anti-government protests, such as Hong Kong or the heavily Muslim region of Xinjiang in China's far west. The dump of scores of documents late last week and subsequent investigation were confirmed by two employees of I-Soon, known as Anxun in Mandarin, which has ties to the powerful Ministry of Public Security. The dump, which analysts consider highly significant even if it does not reveal any especially novel or potent tools, includes hundreds of pages of contracts, marketing presentations, product manuals, and client and employee lists. They reveal, in detail, methods used by Chinese authorities used to surveil dissidents overseas, hack other nations and promote pro-Beijing narratives on social media. The documents show apparent I-Soon hacking of networks across Central and Southeast Asia, as well as Hong Kong and Taiwan. The hacking tools are used by Chinese state agents to unmask users of social media platforms outside China such as X, formerly known as Twitter, break into email and hide the online activity of overseas agents. Also described are devices disguised as power strips and batteries that can be used to compromise Wi-Fi networks. I-Soon and Chinese police are investigating how the files were leaked, the two I-Soon employees told the AP. One of the employees said I-Soon held a meeting Wednesday about the leak and were told it wouldn't affect business too much and to "continue working as normal." The AP is not naming the employees - out of concern about possible retribution. The source of the leak is not known. Jon Condra, an analyst with Recorded Future, called it the most significant leak ever linked to a company "suspected of providing cyber espionage and targeted intrusion services for the Chinese security services." So what's the upshot for you? On Monday, Mao Ning, a Chinese Foreign Ministry spokeswoman, demanded the U.S. “stop using cybersecurity issues to smear other countries.” US/UK: FTC To Ban Avast From Selling Browsing Data For Advertising Purposes https://www.bleepingcomputer.com/news/security/ftc-to-ban-avast-from-selling-browsing-data-for-advertising-purposes/ The U.S. FTC will order Avast (the free AntiVirus maker) to pay $16.5 million and ban the company from selling the users' web browsing data or licensing it for advertising purposes. The complaint says Avast violated millions of consumers' rights by collecting, storing, and selling their browsing data without their knowledge and consent while misleading them that the products used to harvest their data would block online tracking. "While the FTC's privacy lawsuits routinely take on firms that misrepresent their data practices, Avast's decision to expressly market its products as safeguarding people's browsing records and protecting data from tracking only to then sell those records is especially galling," said FTC Chair Lina M. Khan. "Moreover, the volume of data Avast released is staggering: the complaint alleges that by 2020 Jumpshot had amassed "more than eight petabytes of browsing information dating back to 2014." More specifically, the FTC says UK-based company Avast Limited harvested consumers' web browsing information without their knowledge or consent using Avast browser extensions and antivirus software since at least 2014. So what's the upshot for you? "Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite. Avast's bait-and-switch surveillance tactics compromised consumers' privacy and broke the law," said Samuel Levine, the head of the FTC's Bureau of Consumer Protection. US : License Plate-Scanning Company Violates Privacy of Millions of California Drivers, According to Class Action Lawsuit https://www.sfgate.com/tech/article/privacy-license-plate-scanning-lawsuit-18685303.php https://drnprivacyclassaction.com/form/ If you drive a car in California, you may be in for a payday thanks to a lawsuit alleging privacy violations by a Texas company. The 2021 lawsuit, given class-action status in September, alleges that Digital Recognition Network is breaking a California law meant to regulate the use of automatic license plate readers. DRN, a Fort Worth-based company, uses plate-scanning cameras to create location data for people’s vehicles, then sells that data to marketers, car repossessors and insurers. What’s particularly notable about the case is the size of the class. The court has established that if you’re a California resident whose license plate data was collected by DRN at least 15 times since June 2017, you’re a class member. The plaintiff’s legal team estimates that the tally includes about 23 million people. So what's the upshot for you? They are apparently aiming for $2500 per driver represented... so let's see, after legal fees and associated costs that would leave about 3 cents for each person affected. Global: "Honey, where's the car?" https://www.theguardian.com/money/2024/feb/24/smart-keys-car-crime-thieves-hi-tech-arms-race "One London resident watched on CCTV as a thief walked up to his £40,000 car and drove away," reports the Observer. "Now manufacturers say they are being drawn in to a hi-tech 'arms race' with criminals." [H]i-tech devices disguised as handheld games consoles are being traded online for thousands of pounds and are used by organised crime gangs to mimic the electronic key on an Ioniq 5, opening the doors and starting the engine. The device, known as an "emulator", works by intercepting a signal from the car, which is scanning for the presence of a legitimate key, and sending back a signal to gain access to the vehicle... Hyundai says it is looking at measures to prevent the use of emulators "as a priority". But it is not the only carmaker whose vehicles appear to be vulnerable. An Observer investigation found that models by Toyota, Lexus and Kia have also been targeted... British motorists now face an increase in the number of thefts and rising insurance premiums... Car thefts are at their highest level for a decade in England and Wales, rising from 85,803 vehicles in the year to March 2012 to 130,270 in the year to March 2023 — an increase of more than 50%. Part of the reason, say experts, is the rise of keyless entry... Kia did not respond to a request for comment. A spokesperson for Toyota, which owns Lexus, said: "Toyota and Lexus are continuously working on developing technical solutions to make vehicles more secure. So what's the upshot for you? In the meantime... "Many owners of Ioniq 5s, which sell from around £42,000, now use old fashioned steering locks to deter thieves." or you could go with a car coat, although getting your car into it could be a challenge. - click the pics for the podcast - So to recap: This week Apple jumped ahead of the pack and announced we’d be getting post-Quant encryption for our messages in iOS 17.4. We discovered an M&Ms vending machine that does its tracking while you are snacking and how one university is quickly banishing them from campus. In the Spy vs. Spy wars there’s been a huge leak that seems to have performed an embarrassing partial reveal on China’s cyber-spying on it’s neighbors Then, perhaps it was latent NSA induced jealousy, but the US Federal Trade Commission (FTC) let Avast antivirus software have it right in the chops for collecting 8 Petabytes of user data over 10 years. Calling it a “Bait and Switch” they said Avast purported to be securing users computers and instead it was collecting and selling absolutely everything!!! Following that is the huge class action lawsuit against a license plate scanning company out in Cali that you can be part of if your car’s plates been scanned at least 15 times. The estimate is that there will be up to 23 million Californians joining in on that one…. And potentially some incredibly well paid lawyers. Finally we ended with the suggestion that Hyundai gift one of those big, beautiful, heavy steel Crook-lock steering wheel locks with each Ioniq 5 they sell, because while the gadgets are all in place, the security is not. - click the pic for the podcast - Our quote of the week - “The only thing worse than forgetting where you parked is forgetting your keys in the car.” - click the pic for the podcast - That's it for this week. Stay safe, stay secure, stay out with car and we'll see you in se7en! The IT Privacy and Security Weekly Update fixes it for the week ending February 20th., 20242/20/2024 - click the pic to hear the podcast - Episode 179 - click the pic to hear the podcast - This week’s update is our most exciting yet:
Whatever it is, this update fixes it, so come join in the adventure! - click the pic to hear the podcast - Global: Wyze Says Camera Breach Let 13,000 Customers Briefly See Into Other People's Homes https://www.theverge.com/2024/2/19/24077233/wyze-security-camera-breach-13000-customers-events https://www.nytimes.com/wirecutter/blog/wyze-security-breach/ Wyze's problems with letting its security camera customers briefly see into other customer homes is a lot worse than we thought. Last week, co-founder David Crosby said that "so far" the company had identified 14 people who were able to briefly see into a stranger's property because they were shown an image from someone else's Wyze camera. Now we're being told that number of affected customers has ballooned to 13,000. The revelation came from an email sent to customers entitled "An Important Security Message from Wyze," in which the company copped to the breach and apologized, while also attempting to lay some of the blame on its web hosting provider AWS. The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation. So what's the upshot for you? How to securely remedy the ongoing security issues with your Wyze camera:
- click the pic to hear the podcast -
Global: LLM Agents can Autonomously Hack Websites https://arxiv.org/abs/2402.06664 A team of researchers from Cornell University have dropped a new paper that outlines some capabilities of Large Language Models that the world was probably hoping were not evidenced so rapidly: In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents. In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs. So what's the upshot for you? Given that these models can now be run on high end laptops, the need for faster, more efficient vulnerability remediation on our Internet facing devices becomes paramount. It's only a matter of time. US: AI monitoring employees for ‘thought crimes’ in apps like Slack and Zoom https://www.cnbc.com/2024/02/09/ai-might-be-reading-your-slack-teams-messages-using-tech-from-aware.html https://dataprivacylab.org/projects/identifiability/paper1.pdf Aware, an AI firm specializing in analyzing employee messages, said companies including Walmart, Delta, T-Mobile, Chevron, Nestle, AstraZeneca and Starbucks are using its technology. Aware said its data repository contains messages that represent about 20 billion individual interactions across more than 3 million employees. “A lot of this becomes thought crime,” Jutta Williams, co-founder of Humane Intelligence, said of AI employee surveillance technology in general. She added, “This is treating people like inventory in a way I’ve not seen.” A client can specify a “violent threats” policy, or any other category, using Aware’s technology and have the AI models monitor for violations in Slack, Microsoft Teams and Workplace by Meta The client could also couple that with rule-based flags for certain phrases, statements and more. If the AI found something that violated a company’s specified policies, it could provide the employee’s name to the client’s designated representative. This type of practice has been used for years within email communications. What’s new is the use of AI and its application across workplace messaging platforms such as Slack and Teams. Using the anonymized data in Aware’s analytics product, clients can see how employees of a certain age group or in a particular geography are responding to a new corporate policy or marketing campaign, according to Jeff Schumann, co-founder and CEO of the Columbus, Ohio-based startup. Aware clients using its analytics tool also have the power to add metadata to message tracking, such as employee age, location, division, tenure or job function. “What they’re saying is relying on a very outdated and, I would say, entirely debunked notion at this point that anonymization or aggregation is like a magic bullet through the privacy concern." Even if data is aggregated or anonymized, research suggests, it’s a flawed concept. A landmark study on data privacy using 1990 U.S. Census data showed that 87% of Americans could be identified solely by using ZIP code, birth date and gender. So what's the upshot for you? Now you have to stay on your toes so as not to be perceived as committing "Thought crimes". We see bright, chrome handcuffs in our future. CN: Gold Pickaxe' Android, iOS Malware Steals Your Face https://www.bleepingcomputer.com/news/security/new-gold-pickaxe-android-ios-malware-steals-your-face-for-fraud/ A new iOS and Android trojan named 'GoldPickaxe' employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. The new malware, spotted by Group-IB, is part of a malware suite developed by the Chinese threat group known as 'GoldFactory,' which is responsible for other malware strains such as 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.' Group-IB says its analysts observed attacks primarily targeting the Asia-Pacific region, mainly Thailand and Vietnam. However, the techniques employed could be effective globally, and there's a danger of them getting adopted by other malware strains. For iOS (iPhone) users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process. When Apple removed the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices. Once the trojan has been installed onto a mobile device in the form of a fake government app, it operates semi-autonomously, manipulating functions in the background, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device using 'MicroSocks.' Group-IB says the Android version of the trojan performs more malicious activities than in iOS due to Apple's higher security restrictions. Also, on Android, the trojan uses over 20 different bogus apps as cover. For example, GoldPickaxe can also run commands on Android to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. The use of the victims' faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount. So what's the upshot for you? This is not malware you want on your phone. Always be vigilant as to what you are adding and if there is any hesitation, wipe and rebuild your phone, because once you lose your face, smiling becomes very difficult. US: DOJ Quietly Removed Russian Malware From Routers in US Homes and Businesses https://arstechnica.com/information-technology/2024/02/doj-turns-tables-on-russian-hackers-uses-their-malware-to-wipe-out-botnet/ More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the US Department of Justice (DoJ). That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password So what's the upshot for you? Malware said by the DOJ to be tied to the Chinese government was removed from Cisco and Netgear Small Office Home Office (SOHO) routers by the FBI last month in similar fashion US: Where will "Precision Agriculture" leave the farmers? https://www.nifa.usda.gov/grants/programs/precision-geospatial-sensor-technologies-programs/adoption-precision-agriculture https://fighttorepair.substack.com/p/precision-agriculture-has-its-cassandra Farming in the United States is undergoing a revolutionary change, akin to the shift brought by the Fordson (yes that Ford) tractor a century ago. Today, precision agriculture is at the forefront, employing technologies like internet-connected equipment and AI-driven sensors to redefine farming practices. From autonomous tractors to smart spraying systems, precision agriculture offers unprecedented efficiency and sustainability. However, smaller producers face challenges competing with larger counterparts who benefit from economies of scale. Moreover, the consolidation of agricultural technology raises concerns about cybersecurity risks and data ownership. While these technologies provide valuable insights, they also transfer control of essential farm data to corporate entities without farmers' full comprehension or compensation, turning farmers into little more than passive caretakers of automated equipment managed, controlled and accountable to distant corporate masters. This shift underscores a broader trend of farmers losing autonomy over their operations, potentially impacting their livelihoods. As precision agriculture advances, the balance between innovation and farmer empowerment becomes increasingly critical for the future of American agriculture. So what's the upshot for you? When you, in the name of greater efficiency, have your farm equipment mapping out your fields, performing precise watering, fertilizer and pesticide spraying and all that information is beamed right back to John Deere, it's only a matter of time before it's you standing in the way of progress. Global: Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private https://www.wired.com/story/signal-launches-usersnames-phone-number-privacy/ Signal, renowned for its end-to-end encrypted messaging, launches beta features to enhance phone number privacy. Users can now conceal their phone numbers and instead share usernames for communication, addressing a long-standing criticism of the app's design. Default settings hide phone numbers in profiles, with options to create unique usernames and control discoverability. These changes empower users in high-risk environments and offer greater privacy for all, says Signal's president, Meredith Whittaker. While the app still requires a phone number for registration, the update marks a significant step toward addressing privacy concerns among its millions of users. So what's the upshot for you? The worlds most secure messaging app now improves it's privacy Global: This Tiny Website Is Google's First Line of Defense in the Patent Wars https://www.tdcommons.org/ https://www.wired.com/story/google-tdcommons-dpub-patents-prior-art/ A trio of Google engineers recently came up with a futuristic way to help anyone who stumbles through presentations on video calls. They propose that when algorithms detect a speaker's pulse racing or "umms" lengthening, a generative AI bot that mimics their voice could simply take over. That cutting-edge idea wasn't revealed at a big company event or in an academic journal. Instead, it appeared in a 1,500-word post on a little-known, free website called TDCommons.org that Google has quietly owned and funded for nine years. Until WIRED received a link to an idea on TDCommons last year and got curious, Google had never spoken with the media about its website. Scrolling through TDCommons, you can read Google's latest ideas for coordinating smart home gadgets for better sleep, preserving privacy in mobile search results, and using AI to summarize a person's activities from their photo archives. And the submissions aren't exclusive to Google; about 150 organizations, including HP, Cisco, and Visa, also have posted inventions to the website. So what's the upshot for you? Working your way through tdcommons.org is an amazing adventure. - click the pic to hear the podcast - So to recap: This week’s update is our most exciting yet: You got driving lessons that help you fix security. As someone once said a long time ago “Fool me once, shame on you. Fool me twice Shame on me.” Wyze is the “security” camera company that is in the news for lack of or poor security more than any other. Follow our steps to secure your own Wyze cameras, but just don’t put the car through the side of the house doing it. AI that can discover vulnerabilities on it’s own to hack websites? Start working on your processes and procedures to put patches, updates and remediation in place immediately on release, because with AI checking up on your risk mitigation, you will be on a very short leash. Are thought crimes a thing right now? They will be if this Aware AI software sells into any more enterprises. Imagine having a blue Monday and just the tone of your Slack messages is enough to put you in front of HR. Remember a couple years ago when the worker had the upper hand? Those days are gone! The we told you about malware that will steal your face. Sure, you can laugh now but if the recent (Feb 6th.) story about the finance worker who wired $25 million on the orders of the deepfake CFO are anything to go by this is malware that will certainly remove the smile from your removed face. Then in the US we learned that US Department of Justice logged into any of our routers with the default admin account and password to remove malware. And gosh if they could only come back and do our Windows updates too…. Then we had the likes of John Deere, mapping out our farms, identifying what is growing where, the conditions, the success of weed and bug killers and fertilizers collecting the data over years, to a point where the farmer holds no secrets and is only in the way. Signal announced beta testing of its long awaited username feature, adding even more privacy to our favorite secure messaging app. And finally we took a stroll through Googles’ “Big ideas” website, created to reduce the friction of patents in technology, and offering a playground of brilliant innovation. Our quote of the week - “I like fixing things.” - Richard E. Grant That's it for this week. Stay safe, stay secure, remember to unmount the Wyze camera before you drive over it and we'll see you in se7en! - click the pic to hear the podcast - It’s that time of year again when love is in the air and this week’s update will be as embracing as a hug from Taylor Swift after a big Super bowl win. We start with a great misstep story about a hypothetical bot infection of millions of toothbrushes that is sure to leave a glint in your eye and a grin on your face. - click the pic to hear the podcast - As we recover from all the betting ads being hurled at us as US states legalize online betting one by one, we have a story about how the world’s biggest (by volume) casino faltered. From there we go underground, literally, with a newly released disclosure about real time survelliance that could have those in the world’s 37th largest city running for cover. Fresh and hot, we deliver an Apple turnover on the right to repair. Then an update from Google that might make spyware companies like Israel’s NSO group even less popular. And we finish with something that might have you reminiscing about school days and fake IDs, but this time we add in the artful hand of AI. You're in the mood, you’ll love this update. US/CH: "The toothbrushes are attacking," https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages The original text of last week's source report read: “She's in the bathroom at home, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused. - click the pic to hear the podcast - Here's the Aargauer Zeitung's (the source of the story) statement on the matter: What the cyber security firm Fortinet headquarters in California is now calling a “translation problem” sounded completely different during the research: Swiss Fortinet representatives described the toothbrush case as a real distributed denial of service (DDoS) at a meeting that discussed current threats. Fortinet provided specific details: information about how long the attack took down a Swiss company's website; an order of magnitude of how great the damage was. Fortinet did not want to reveal which company it was out of consideration for its customers. The text was submitted to Fortinet for verification before publication. The statement that this was a real case that really happened was not objected to. Fortinet's global management has now backtracked on its statement, which was sent to various international media outlets. The company also failed to send the update to Swiss media outlets. So what's the upshot for you? You really don't want to think of your toothbrush as a participant in an online cyber attack, and heaven help us if the floss were to become involved! In the end it appears that Fortinet are the ones with the toothpaste left on their faces: Fortinet's head office claimed that the scenario was hypothetical and that we had ‘streched the narrative.’ US: Bad bet https://techcrunch.com/2024/02/09/winstar-hotel-casino-app-exposed-customer-personal-data/ The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers' private information to the open web. Oklahoma-based WinStar bills itself as the "world's biggest casino" by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings. The app is developed by a Nevada software startup called Dexiga. The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser. Dexiga took the database offline after TechCrunch alerted the company to the security lapse. Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, found the database containing personal information, but it was initially unclear who the database belonged to. Sen said the personal data included full names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security lapse. So what's the upshot for you? The odds that the house will win at any game you play range from 1.06% for Baccarat to as much as 29% in Keno. With this one you can lose even more! UK: London Underground Is Testing Real-Time AI Surveillance Tools To Spot Crime https://www.wired.com/story/london-underground-ai-surveillance-documents/ Thousands of people using the London Underground had their movements, behavior, and body language watched by AI surveillance software designed to see if they were committing crimes or were in unsafe situations. The machine-learning software was combined with live CCTV footage to try to detect aggressive behavior and guns or knives being brandished, as well as looking for people falling onto Tube tracks or dodging fares. From October 2022 until the end of September 2023, Transport for London (TfL), which operates the city's Tube and bus network, tested 11 algorithms to monitor people passing through Willesden Green Tube station, in the northwest of the city. The proof of concept trial is the first time the transport body has combined AI and live video footage to generate alerts that are sent to frontline staff. More than 44,000 alerts were issued during the test, with 19,000 being delivered to station staff in real time. Documents sent to WIRED in response to a Freedom of Information Act request detail how TfL used a wide range of computer vision algorithms to track people's behavior while they were at the station. It is the first time the full details of the trial have been reported, and it follows TfL saying, in December, that it will expand its use of AI to detect fare dodging to more stations across the British capital. In the trial at Willesden Green -- a station that had 25,000 visitors per day before the Covid-19 pandemic -- the AI system was set up to detect potential safety incidents to allow staff to help people in need, but it also targeted criminal and antisocial behavior. Three documents provided to WIRED detail how AI models were used to detect wheelchairs, prams, vaping, people accessing unauthorized areas, or putting themselves in danger by getting close to the edge of the train platforms. So what's the upshot for you? It's interesting that this type of testing is now being performed "almost" covertly. As part of a transparency initiative... perhaps the results and any observed bias in them should also be made public. US: Wait. What? Now Apple Is Lobbying Against Right To Repair (Six Months After Supporting Right To Repair) https://www.404media.co/apple-is-lobbying-against-right-to-repair-again/ An Apple executive lobbied against a strong right-to-repair bill in Oregon Thursday, which is the first time the company has had an employee actively outline its stance on right to repair at an open hearing. Apple's position in Oregon shows that despite supporting a weaker right to repair law in California, it still intends to control its own repair ecosystem. It also sets up a highly interesting fight in the state because Google has come out in favor of the same legislation Apple is opposing. "It is our belief that the bill's current language around parts pairing will undermine the security, safety, and privacy of Oregonians by forcing device manufacturers to allow the use of parts of unknown origin in consumer devices," John Perry, Apple's principal secure repair architect, told the legislature. This is a quick about-face for the company, which after years of lobbying against right to repair, began to lobby for it in California last fall. The difference now is that Oregon's bill includes a critical provision that Google says it can easily comply with .... but that is core for Apple to maintain its dominance over the repair market. So what's the upshot for you? Ah, there it is... the devil... is always in the detail. Global: Google says spyware vendors are behind most of the zero-days it discovers https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors.pdf Commercial Surveillance Vendors (CSV) were behind 80% of the zero-day vulnerabilities Google's Threat Analysis Group (TAG) discovered in 2023 and used to spy on devices worldwide. Zero-day vulnerabilities are security flaws the vendors of impacted software do not know about or for which there are no available fixes. Google's Threat Analysis Group has been following the activities of 40 commercial spyware vendors to detect exploitation attempts, protect users of its products, and help safeguard the broader community by reporting key findings to the appropriate parties. Based on this monitoring, Google has found that 35 of the 72 known in-the-wild zero-day exploits impacting its products over the last ten years can be attributed to spyware vendors. Those spyware vendors use the zero-day flaws to target journalists, activists, and political figures as directed by their customers, including governments and private organizations. So what's the upshot for you? "When we discover and patch vulnerabilities used in exploit chains, it not only protects users, but prevents commercial surveillance vendors from meeting their agreements to customers, preventing them from being paid, and increasing their costs to continue operating." - Google Global: An Instant Fake ID Factory https://www.404media.co/email/7ba8cca7-96d2-487d-a1e3-5cc0de98fc4e/ An underground website called OnlyFake is claiming to use “neural networks” to generate realistic looking photos of fake IDs for just $15, radically disrupting the marketplace for fake identities and cybersecurity more generally. This technology, which 404 Media has verified produces fake IDs nearly instantly, could streamline everything from bank fraud to laundering stolen funds. In our own tests, OnlyFake created a highly convincing California driver's license, complete with whatever arbitrary name, biographical information, address, expiration date, and signature we wanted. The photo even gives the appearance that the ID card is laying on a fluffy carpet, as if someone has placed it on the floor and snapped a picture, which many sites require for verification purposes. 404 Media then used another fake ID generated by this site to successfully step through the identity verification process on OKX. OKX is a cryptocurrency exchange that has recently appeared in multiple court records because of its use by criminals. Rather than painstakingly crafting a fake ID by hand—a highly skilled criminal profession that can take years to master—or waiting for a purchased one to arrive in the mail with the risk of interception, OnlyFake lets essentially anyone generate fake IDs in minutes that may seem real enough to bypass various online verification systems. So what's the upshot for you? “The era of rendering documents using Photoshop is coming to an end,” an announcement posted to OnlyFake’s Telegram account read. So to recap: We start with a great misstep story about a bot infection of millions of toothbrushes from Fortinet that left more than toothpaste on their faces. We got an update on a huge (by volume) casino database log that was just left “open”. From there we went underground, literally, with a newly released disclosure from the London Underground about surveillance software that is being used to determine if the 25,000 people passing through each day were committing crimes or doing unsafe things. 19,000 alerts were sent to staff in real time. Then Apple did a flip flop on their endorsement of right to repair with the introduction of a new bill in Oregon that apparently would take a bigger bite than Apple is comfortable with. An update from Google provides a shocking statistic that commercial surveillance vendors were behind 80% of the zero day vulnerabilities on our devices. We finished with a trip down memory lane to the land of fake IDs. This time AI has made the process quick and cheap enough so that we’d bet, in the near future we are going to see a load of copy cats popping up. - click the pic to hear the podcast - And our quote of the week - “Being deeply loved by someone gives you strength, while loving someone deeply gives you courage.” - Lao Tzu That's it for this week. Stay safe, stay secure, stay in love and we'll see you in se7en! Episode 177 This week we start with your dear Gran. When’s the last time you called her to see how she was doing? After our first update we hope that call will happen within the next day or two. - click on the pic to hear the podcast - From there we move to a model corporate citizen in CloudFlare and discover further repercussion from last year’s Okta Breach and a remote desktop solution that could almost use their breech as a PR exercise. We are reminded that everyone on that Zoom call might not be as they seem, and find a glorious dip in ransomware payouts that hopefully indicate the new direction of ransomware attacks. Then... we go dark with a report that has probably crossed all of our minds since the Covid-19 outbreak. We get some good news for the environment from some joint work between MIT and IBM and we end with what some would call a regulatory imbalance. From empathy to entropy and back again this week’s update gets the balance right. US: Check on your Gran https://arstechnica.com/security/2024/01/scammers-liquidating-victims-life-savings-are-now-sending-live-couriers/ Scammers are stepping up their game by sending couriers to the homes of elderly people and others as part of a ruse intended to rob them of their life savings, the FBI said in an advisory Monday. “The FBI is warning the public about scammers instructing victims, many of whom are senior citizens, to liquidate their assets into cash and/or buy gold, silver, or other precious metals to protect their funds,” FBI officials with the agency’s Internet Crime Complaint Center said. “Criminals then arrange for couriers to meet the victims in person to pick up the cash or precious metals.” Officials said that from May to December of last year, they tracked estimated aggregate losses topping $55 million from this sort of scam. More generally, the agency received 19,000 complaints of scams from January to June of 2023, with estimated victim losses of $542 million. Almost half of the victims were over 60 years old and accounted for 66 percent of the aggregated losses. So what's the upshot for you? Scam tactics are becoming more aggressive against a demographic who may have less contact with others. Not everyone reads this blog or listens to this podcast, perhaps it's time you advocated they did. Global: Cloudflare hacked using auth tokens stolen in Okta attack https://www.securityweek.com/cloudflare-hacked-by-suspected-state-sponsored-attacker/ Web security and content delivery network (CDN) giant Cloudflare disclosed Feb 1st. that it was hacked by a threat actor using stolen credentials to access internal systems, code repositories, along with an AWS environment, as well as Atlassian, Jira and Confluence. The goal of the attack, Cloudflare says, was to obtain information on the company's infrastructure, likely to gain a deeper foothold. According to Cloudflare, more than 5,000 individual production credentials were rotated following the incident, close to 5,000 systems were triaged, test and staging systems were physically segmented, and every machine within the Cloudflare global network was reimaged and rebooted. So what's the upshot for you? Cloudflare run a pretty tight ship so it's both disheartening to see them compromised by last year's Okta data breach and sad, as apparently they had not gotten around to changing absolutely all the tokens compromised in the Okta breach. They have now! Global: AnyDesk says hackers breached its production servers, reset password https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/ AnyDesk is a remote access solution that allows users to remotely access computers over a network or the internet. The program is very popular with the enterprise, which use it for remote support or to access colocated servers. The software is also popular among threat actors who use it for persistent access to breached devices and networks. The company reports having 170,000 customers, including 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and the United Nations. AnyDesk says they first learned of the attack after detecting indications of an incident on their production servers. After conducting a security audit, they determined their systems were compromised and activated a response plan with the help of cybersecurity firm CrowdStrike. Threat actors stole source code and code signing certificates. AnyDesk says they have revoked security-related certificates and remediated or replaced systems as necessary. They also reassured customers that AnyDesk was safe to use and that there was no evidence of end-user devices being affected by the incident. While the company says that no authentication tokens were stolen, out of caution, AnyDesk is revoking all passwords to their web portal and suggests changing the password if it's used on other sites. So what's the upshot for you? We were not aware of Anydesk remote software until this breach. Depending on their handling of this situation it could actually turn out to be a public relations coup for the company. HK: Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’ https://www.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html This is two day old news but still holds some interesting secrets until all the details are revealed. A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police. The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday. “(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK. The scam involving the fake CFO was only discovered when the employee later checked with the corporation’s head office. So what's the upshot for you? Ask more questions. Deepfakes may get very good, but the responses are still slow. Any suspicions can be confirmed with a phone call to that individual. Global: Ransomware payment rates drop to new low – now 'only 29% of victims' pay https://www.theregister.com/2024/01/31/ransomware_payment_rates_drop/ Trusting a ransomware crew to honor a deal isn't the greatest idea, and the world seems to be waking up to that. It's claimed that number of victims who chose to pay dropped to a new low of 29 percent in the last quarter of 2023. The data from ransomware response and negotiation company Coveware continues a downward trend since it began monitoring in 2019, when it said the rate of companies choosing to pay ransomware actors was a whopping 85 percent. The reason for the change, Coveware founder and CEO Bill Siegel states in the company's latest quarterly report, comes down to awareness. Not only are more ransomware victims prepared for the inevitability of attacks by keeping better backups, Siegel points out, but several years of ransomware making top headlines – and associated stories of payments amounting to nothing – have led to a reluctance to trust data kidnappers. So what's the upshot for you? Any news about the degradation of ransomware numbers is good news. Interestingly "banning" payments made to ransomware extortionists had less of an overall effect on numbers of intances. Heightened awareness about ransomware attacks has allowed businesses to arm themselves with backup and recovery strategies. Global: The Human Domain of War https://www.rand.org/content/dam/rand/pubs/research_reports/RRA2500/RRA2520-1/RAND_RRA2520-1.pdf You only need to think back to Covid-19 and add in the recent 23&me breach and sprinkle in a bit of Elon's NeuralLink to understand the context of this recently published thesis: Recent advancements in biotechnology are reshaping perspectives on its role in warfare. While historically viewed as too risky for friendly forces, new technologies like mRNA vaccines, CRISPR gene editing, and brain-computer interfaces (BCIs) are altering strategic calculations. With more countries developing advanced biotech capabilities, the future of warfare is evolving rapidly. Biotechnology's potential in war is reminiscent of its dual role in past conflicts as both a weapon and a cure. Now, with AI algorithms and human-machine systems, warfare could involve hyper-sophisticated machines controlled by human thoughts and genetically targeted plagues. This 21st-century biotech revolution is challenging traditional notions of warfare. Future conflicts may feature enhanced warfighters with modified genomes, capable of surviving extreme combat conditions. As we delve into the implications of these technologies, it's clear that the human body is becoming a strategic domain in modern warfare. So what's the upshot for you? The research report starts with a vignette where a nation state creates a virus, innoculates its soldiers against that virus and then attacks a weakened "adversary". This is a thought provoking exercise, but one that is relevant to your understanding of the value of some of the material circulating that includes Personal Health information (PHI). US: MIT and IBM Find Clever AI Ways Around Brute-Force Math https://spectrum.ieee.org/mathematical-model-ai In a breakthrough for solving complex mathematical equations crucial in science and engineering, researchers have unveiled a new method harnessing brain-inspired neural networks. These equations, known as partial differential equations, model intricate physical systems involving multiple rates of change across space and time, from air flow around aircraft wings to the behavior of pollutants in the atmosphere. Traditionally, solving such equations demanded high-precision numerical methods, which are both time-consuming and computationally intensive. Enter data-driven surrogate models, like neural networks, which offer a simpler alternative but require vast amounts of data for training. Now, scientists have pioneered a fresh approach called physics-enhanced deep surrogate (PEDS) models. By integrating physics simulators into neural network training, these models can achieve unprecedented accuracy with just a fraction of the data previously needed. Testing PEDS on various physical systems, including diffusion and electromagnetic scattering, researchers found these models to be up to three times more accurate than conventional neural networks. Remarkably, they achieved this level of accuracy with only around 1,000 training points, drastically reducing the data requirement by a factor of 100. According to lead author Raphaël Pestourie, this innovative fusion of neural networks and scientific expertise opens doors to accelerating simulations in diverse fields, from weather forecasting to nuclear reactor analysis. So what's the upshot for you? This is an exciting development in an world where LLMs are supplanting Bitcoin in the consumption of datacenter resources. - click on the pic to hear the podcast - EU: Europe Regulates Its Way To Last Place https://www.wsj.com/economy/europe-regulates-its-way-to-last-place-2a03c21d From mergers to AI, the EU's aggressive rule-making hampers its ability to compete with China and the U.S. These are humbling times for Europe. The continent barely escaped recession late last year as the U.S. boomed. It is losing out to the U.S. on artificial intelligence, and to China on electric vehicles. There is one field where the European Union still leads the world: regulation. Having set the standard on regulating mergers, carbon emissions, data privacy, and e-commerce competition, the EU now seeks to do the same on AI. In December it unveiled a sweeping draft law that bans certain types of AI, tightly regulates others, and imposes huge fines for violators. Its executive arm, the European Commission, might investigate Microsoft's tie-up with OpenAI as potentially anticompetitive. Never before has "America innovates, China replicates, Europe regulates" so aptly captured each region's comparative advantage. The technocrats who staff the EU in Brussels aren't anti-free market. Just the opposite: they still believe in free trade, unlike the U.S. or China. Much of their regulation is aimed at protecting consumers and competition from meddling national governments. But there's a trade-off between consumer protection and the profit motive that drives investment and innovation, and the EU might be getting that trade-off wrong. For example, to preserve competition, European regulators have resisted mergers that leave just a handful of mobile phone carriers per market. As a result Europe now has 43 groups running 102 mobile operators serving a population of 474 million, while the U.S. has three major networks serving a population of 335 million, according to telecommunications consultant John Strand. China and India are even more concentrated. European mobile customers as a result pay only about a third of what Americans do. But that's why European carriers invest only half as much per customer and their networks are commensurately worse. Swedish telecommunications equipment manufacturer Ericsson's sales in Europe suffer in part because many carriers are too small and unprofitable to update to the latest 5G networks. "Europe has prioritized shorter-term low consumer prices at the expense of quality infrastructure," chief executive Borje Ekholm told me in Davos earlier this month. "I'm very concerned about Europe. We need to invest much more in infrastructure, in being digital." So what's the upshot for you? Get the balance right. So to recap: This week we start with your dear Gran. When’s the last time you called her to see how she was doing? It’s important to remember that older individuals may have less mobility and less opportunity to socialize, bouncing ideas and updates off each other. This demographic is being targeted like never before with scams: over the phone, computer and now in person. From there we move to a model corporate citizen in CloudFlare and discover further repercussion from last year’s Okta Breach. The had changed most of their tokens… but not all of them. This breach motivated a cleanup that got everything refreshed. We saw a solid, professional response from software maker Anydesk in the identification and remediation of their compromise, turning a negative situation into a more positive outcome. Ransomware payouts have taken a dip recently. This can only be good news to those who spent each day in fear of when it might happen to them. Thankfully better processes, backups, recoveries and understanding have put businesses back on the front foot in these encounters. We featured a report that talks through what the advances in genetic engineering, AI and neural implants might mean on the battlefield (as everything that can be used to fight wars will be). It’s a sobering, but enlightening consideration. We got some good news for the environment from some joint work between MIT and IBM in terms of faster, more efficient AI training and we ended with good intent from the EU to protect its citizens, backfiring somewhat in terms of trade and progress. Sometimes it’s hard to get the balance right. - click on the pic to hear the podcast - And our quote of the week - “Life is like riding a bicycle. To keep your balance, you must keep moving forward.” Albert Einstein That's it for this week. Stay safe, stay secure, stay balanced and we'll see you in se7en! |