The IT Privacy and Security Weekly Update fixes it for the week ending February 20th., 20242/20/2024 - click the pic to hear the podcast - Episode 179 - click the pic to hear the podcast - This week’s update is our most exciting yet:
Whatever it is, this update fixes it, so come join in the adventure! - click the pic to hear the podcast - Global: Wyze Says Camera Breach Let 13,000 Customers Briefly See Into Other People's Homes https://www.theverge.com/2024/2/19/24077233/wyze-security-camera-breach-13000-customers-events https://www.nytimes.com/wirecutter/blog/wyze-security-breach/ Wyze's problems with letting its security camera customers briefly see into other customer homes is a lot worse than we thought. Last week, co-founder David Crosby said that "so far" the company had identified 14 people who were able to briefly see into a stranger's property because they were shown an image from someone else's Wyze camera. Now we're being told that number of affected customers has ballooned to 13,000. The revelation came from an email sent to customers entitled "An Important Security Message from Wyze," in which the company copped to the breach and apologized, while also attempting to lay some of the blame on its web hosting provider AWS. The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation. So what's the upshot for you? How to securely remedy the ongoing security issues with your Wyze camera:
- click the pic to hear the podcast -
Global: LLM Agents can Autonomously Hack Websites https://arxiv.org/abs/2402.06664 A team of researchers from Cornell University have dropped a new paper that outlines some capabilities of Large Language Models that the world was probably hoping were not evidenced so rapidly: In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents. In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs. So what's the upshot for you? Given that these models can now be run on high end laptops, the need for faster, more efficient vulnerability remediation on our Internet facing devices becomes paramount. It's only a matter of time. US: AI monitoring employees for ‘thought crimes’ in apps like Slack and Zoom https://www.cnbc.com/2024/02/09/ai-might-be-reading-your-slack-teams-messages-using-tech-from-aware.html https://dataprivacylab.org/projects/identifiability/paper1.pdf Aware, an AI firm specializing in analyzing employee messages, said companies including Walmart, Delta, T-Mobile, Chevron, Nestle, AstraZeneca and Starbucks are using its technology. Aware said its data repository contains messages that represent about 20 billion individual interactions across more than 3 million employees. “A lot of this becomes thought crime,” Jutta Williams, co-founder of Humane Intelligence, said of AI employee surveillance technology in general. She added, “This is treating people like inventory in a way I’ve not seen.” A client can specify a “violent threats” policy, or any other category, using Aware’s technology and have the AI models monitor for violations in Slack, Microsoft Teams and Workplace by Meta The client could also couple that with rule-based flags for certain phrases, statements and more. If the AI found something that violated a company’s specified policies, it could provide the employee’s name to the client’s designated representative. This type of practice has been used for years within email communications. What’s new is the use of AI and its application across workplace messaging platforms such as Slack and Teams. Using the anonymized data in Aware’s analytics product, clients can see how employees of a certain age group or in a particular geography are responding to a new corporate policy or marketing campaign, according to Jeff Schumann, co-founder and CEO of the Columbus, Ohio-based startup. Aware clients using its analytics tool also have the power to add metadata to message tracking, such as employee age, location, division, tenure or job function. “What they’re saying is relying on a very outdated and, I would say, entirely debunked notion at this point that anonymization or aggregation is like a magic bullet through the privacy concern." Even if data is aggregated or anonymized, research suggests, it’s a flawed concept. A landmark study on data privacy using 1990 U.S. Census data showed that 87% of Americans could be identified solely by using ZIP code, birth date and gender. So what's the upshot for you? Now you have to stay on your toes so as not to be perceived as committing "Thought crimes". We see bright, chrome handcuffs in our future. CN: Gold Pickaxe' Android, iOS Malware Steals Your Face https://www.bleepingcomputer.com/news/security/new-gold-pickaxe-android-ios-malware-steals-your-face-for-fraud/ A new iOS and Android trojan named 'GoldPickaxe' employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. The new malware, spotted by Group-IB, is part of a malware suite developed by the Chinese threat group known as 'GoldFactory,' which is responsible for other malware strains such as 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.' Group-IB says its analysts observed attacks primarily targeting the Asia-Pacific region, mainly Thailand and Vietnam. However, the techniques employed could be effective globally, and there's a danger of them getting adopted by other malware strains. For iOS (iPhone) users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process. When Apple removed the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices. Once the trojan has been installed onto a mobile device in the form of a fake government app, it operates semi-autonomously, manipulating functions in the background, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device using 'MicroSocks.' Group-IB says the Android version of the trojan performs more malicious activities than in iOS due to Apple's higher security restrictions. Also, on Android, the trojan uses over 20 different bogus apps as cover. For example, GoldPickaxe can also run commands on Android to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. The use of the victims' faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount. So what's the upshot for you? This is not malware you want on your phone. Always be vigilant as to what you are adding and if there is any hesitation, wipe and rebuild your phone, because once you lose your face, smiling becomes very difficult. US: DOJ Quietly Removed Russian Malware From Routers in US Homes and Businesses https://arstechnica.com/information-technology/2024/02/doj-turns-tables-on-russian-hackers-uses-their-malware-to-wipe-out-botnet/ More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the US Department of Justice (DoJ). That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password So what's the upshot for you? Malware said by the DOJ to be tied to the Chinese government was removed from Cisco and Netgear Small Office Home Office (SOHO) routers by the FBI last month in similar fashion US: Where will "Precision Agriculture" leave the farmers? https://www.nifa.usda.gov/grants/programs/precision-geospatial-sensor-technologies-programs/adoption-precision-agriculture https://fighttorepair.substack.com/p/precision-agriculture-has-its-cassandra Farming in the United States is undergoing a revolutionary change, akin to the shift brought by the Fordson (yes that Ford) tractor a century ago. Today, precision agriculture is at the forefront, employing technologies like internet-connected equipment and AI-driven sensors to redefine farming practices. From autonomous tractors to smart spraying systems, precision agriculture offers unprecedented efficiency and sustainability. However, smaller producers face challenges competing with larger counterparts who benefit from economies of scale. Moreover, the consolidation of agricultural technology raises concerns about cybersecurity risks and data ownership. While these technologies provide valuable insights, they also transfer control of essential farm data to corporate entities without farmers' full comprehension or compensation, turning farmers into little more than passive caretakers of automated equipment managed, controlled and accountable to distant corporate masters. This shift underscores a broader trend of farmers losing autonomy over their operations, potentially impacting their livelihoods. As precision agriculture advances, the balance between innovation and farmer empowerment becomes increasingly critical for the future of American agriculture. So what's the upshot for you? When you, in the name of greater efficiency, have your farm equipment mapping out your fields, performing precise watering, fertilizer and pesticide spraying and all that information is beamed right back to John Deere, it's only a matter of time before it's you standing in the way of progress. Global: Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private https://www.wired.com/story/signal-launches-usersnames-phone-number-privacy/ Signal, renowned for its end-to-end encrypted messaging, launches beta features to enhance phone number privacy. Users can now conceal their phone numbers and instead share usernames for communication, addressing a long-standing criticism of the app's design. Default settings hide phone numbers in profiles, with options to create unique usernames and control discoverability. These changes empower users in high-risk environments and offer greater privacy for all, says Signal's president, Meredith Whittaker. While the app still requires a phone number for registration, the update marks a significant step toward addressing privacy concerns among its millions of users. So what's the upshot for you? The worlds most secure messaging app now improves it's privacy Global: This Tiny Website Is Google's First Line of Defense in the Patent Wars https://www.tdcommons.org/ https://www.wired.com/story/google-tdcommons-dpub-patents-prior-art/ A trio of Google engineers recently came up with a futuristic way to help anyone who stumbles through presentations on video calls. They propose that when algorithms detect a speaker's pulse racing or "umms" lengthening, a generative AI bot that mimics their voice could simply take over. That cutting-edge idea wasn't revealed at a big company event or in an academic journal. Instead, it appeared in a 1,500-word post on a little-known, free website called TDCommons.org that Google has quietly owned and funded for nine years. Until WIRED received a link to an idea on TDCommons last year and got curious, Google had never spoken with the media about its website. Scrolling through TDCommons, you can read Google's latest ideas for coordinating smart home gadgets for better sleep, preserving privacy in mobile search results, and using AI to summarize a person's activities from their photo archives. And the submissions aren't exclusive to Google; about 150 organizations, including HP, Cisco, and Visa, also have posted inventions to the website. So what's the upshot for you? Working your way through tdcommons.org is an amazing adventure. - click the pic to hear the podcast - So to recap: This week’s update is our most exciting yet: You got driving lessons that help you fix security. As someone once said a long time ago “Fool me once, shame on you. Fool me twice Shame on me.” Wyze is the “security” camera company that is in the news for lack of or poor security more than any other. Follow our steps to secure your own Wyze cameras, but just don’t put the car through the side of the house doing it. AI that can discover vulnerabilities on it’s own to hack websites? Start working on your processes and procedures to put patches, updates and remediation in place immediately on release, because with AI checking up on your risk mitigation, you will be on a very short leash. Are thought crimes a thing right now? They will be if this Aware AI software sells into any more enterprises. Imagine having a blue Monday and just the tone of your Slack messages is enough to put you in front of HR. Remember a couple years ago when the worker had the upper hand? Those days are gone! The we told you about malware that will steal your face. Sure, you can laugh now but if the recent (Feb 6th.) story about the finance worker who wired $25 million on the orders of the deepfake CFO are anything to go by this is malware that will certainly remove the smile from your removed face. Then in the US we learned that US Department of Justice logged into any of our routers with the default admin account and password to remove malware. And gosh if they could only come back and do our Windows updates too…. Then we had the likes of John Deere, mapping out our farms, identifying what is growing where, the conditions, the success of weed and bug killers and fertilizers collecting the data over years, to a point where the farmer holds no secrets and is only in the way. Signal announced beta testing of its long awaited username feature, adding even more privacy to our favorite secure messaging app. And finally we took a stroll through Googles’ “Big ideas” website, created to reduce the friction of patents in technology, and offering a playground of brilliant innovation. Our quote of the week - “I like fixing things.” - Richard E. Grant That's it for this week. Stay safe, stay secure, remember to unmount the Wyze camera before you drive over it and we'll see you in se7en! - click the pic to hear the podcast - It’s that time of year again when love is in the air and this week’s update will be as embracing as a hug from Taylor Swift after a big Super bowl win. We start with a great misstep story about a hypothetical bot infection of millions of toothbrushes that is sure to leave a glint in your eye and a grin on your face. - click the pic to hear the podcast - As we recover from all the betting ads being hurled at us as US states legalize online betting one by one, we have a story about how the world’s biggest (by volume) casino faltered. From there we go underground, literally, with a newly released disclosure about real time survelliance that could have those in the world’s 37th largest city running for cover. Fresh and hot, we deliver an Apple turnover on the right to repair. Then an update from Google that might make spyware companies like Israel’s NSO group even less popular. And we finish with something that might have you reminiscing about school days and fake IDs, but this time we add in the artful hand of AI. You're in the mood, you’ll love this update. US/CH: "The toothbrushes are attacking," https://www.tomshardware.com/networking/three-million-malware-infected-smart-toothbrushes-used-in-swiss-ddos-attacks-botnet-causes-millions-of-euros-in-damages The original text of last week's source report read: “She's in the bathroom at home, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused. - click the pic to hear the podcast - Here's the Aargauer Zeitung's (the source of the story) statement on the matter: What the cyber security firm Fortinet headquarters in California is now calling a “translation problem” sounded completely different during the research: Swiss Fortinet representatives described the toothbrush case as a real distributed denial of service (DDoS) at a meeting that discussed current threats. Fortinet provided specific details: information about how long the attack took down a Swiss company's website; an order of magnitude of how great the damage was. Fortinet did not want to reveal which company it was out of consideration for its customers. The text was submitted to Fortinet for verification before publication. The statement that this was a real case that really happened was not objected to. Fortinet's global management has now backtracked on its statement, which was sent to various international media outlets. The company also failed to send the update to Swiss media outlets. So what's the upshot for you? You really don't want to think of your toothbrush as a participant in an online cyber attack, and heaven help us if the floss were to become involved! In the end it appears that Fortinet are the ones with the toothpaste left on their faces: Fortinet's head office claimed that the scenario was hypothetical and that we had ‘streched the narrative.’ US: Bad bet https://techcrunch.com/2024/02/09/winstar-hotel-casino-app-exposed-customer-personal-data/ The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers' private information to the open web. Oklahoma-based WinStar bills itself as the "world's biggest casino" by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings. The app is developed by a Nevada software startup called Dexiga. The startup left one of its logging databases on the internet without a password, allowing anyone with knowledge of its public IP address to access the WinStar customer data stored within using only their web browser. Dexiga took the database offline after TechCrunch alerted the company to the security lapse. Anurag Sen, a good-faith security researcher who has a knack for discovering inadvertently exposed sensitive data on the internet, found the database containing personal information, but it was initially unclear who the database belonged to. Sen said the personal data included full names, phone numbers, email addresses and home addresses. Sen shared details of the exposed database with TechCrunch to help identify its owner and disclose the security lapse. So what's the upshot for you? The odds that the house will win at any game you play range from 1.06% for Baccarat to as much as 29% in Keno. With this one you can lose even more! UK: London Underground Is Testing Real-Time AI Surveillance Tools To Spot Crime https://www.wired.com/story/london-underground-ai-surveillance-documents/ Thousands of people using the London Underground had their movements, behavior, and body language watched by AI surveillance software designed to see if they were committing crimes or were in unsafe situations. The machine-learning software was combined with live CCTV footage to try to detect aggressive behavior and guns or knives being brandished, as well as looking for people falling onto Tube tracks or dodging fares. From October 2022 until the end of September 2023, Transport for London (TfL), which operates the city's Tube and bus network, tested 11 algorithms to monitor people passing through Willesden Green Tube station, in the northwest of the city. The proof of concept trial is the first time the transport body has combined AI and live video footage to generate alerts that are sent to frontline staff. More than 44,000 alerts were issued during the test, with 19,000 being delivered to station staff in real time. Documents sent to WIRED in response to a Freedom of Information Act request detail how TfL used a wide range of computer vision algorithms to track people's behavior while they were at the station. It is the first time the full details of the trial have been reported, and it follows TfL saying, in December, that it will expand its use of AI to detect fare dodging to more stations across the British capital. In the trial at Willesden Green -- a station that had 25,000 visitors per day before the Covid-19 pandemic -- the AI system was set up to detect potential safety incidents to allow staff to help people in need, but it also targeted criminal and antisocial behavior. Three documents provided to WIRED detail how AI models were used to detect wheelchairs, prams, vaping, people accessing unauthorized areas, or putting themselves in danger by getting close to the edge of the train platforms. So what's the upshot for you? It's interesting that this type of testing is now being performed "almost" covertly. As part of a transparency initiative... perhaps the results and any observed bias in them should also be made public. US: Wait. What? Now Apple Is Lobbying Against Right To Repair (Six Months After Supporting Right To Repair) https://www.404media.co/apple-is-lobbying-against-right-to-repair-again/ An Apple executive lobbied against a strong right-to-repair bill in Oregon Thursday, which is the first time the company has had an employee actively outline its stance on right to repair at an open hearing. Apple's position in Oregon shows that despite supporting a weaker right to repair law in California, it still intends to control its own repair ecosystem. It also sets up a highly interesting fight in the state because Google has come out in favor of the same legislation Apple is opposing. "It is our belief that the bill's current language around parts pairing will undermine the security, safety, and privacy of Oregonians by forcing device manufacturers to allow the use of parts of unknown origin in consumer devices," John Perry, Apple's principal secure repair architect, told the legislature. This is a quick about-face for the company, which after years of lobbying against right to repair, began to lobby for it in California last fall. The difference now is that Oregon's bill includes a critical provision that Google says it can easily comply with .... but that is core for Apple to maintain its dominance over the repair market. So what's the upshot for you? Ah, there it is... the devil... is always in the detail. Global: Google says spyware vendors are behind most of the zero-days it discovers https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors.pdf Commercial Surveillance Vendors (CSV) were behind 80% of the zero-day vulnerabilities Google's Threat Analysis Group (TAG) discovered in 2023 and used to spy on devices worldwide. Zero-day vulnerabilities are security flaws the vendors of impacted software do not know about or for which there are no available fixes. Google's Threat Analysis Group has been following the activities of 40 commercial spyware vendors to detect exploitation attempts, protect users of its products, and help safeguard the broader community by reporting key findings to the appropriate parties. Based on this monitoring, Google has found that 35 of the 72 known in-the-wild zero-day exploits impacting its products over the last ten years can be attributed to spyware vendors. Those spyware vendors use the zero-day flaws to target journalists, activists, and political figures as directed by their customers, including governments and private organizations. So what's the upshot for you? "When we discover and patch vulnerabilities used in exploit chains, it not only protects users, but prevents commercial surveillance vendors from meeting their agreements to customers, preventing them from being paid, and increasing their costs to continue operating." - Google Global: An Instant Fake ID Factory https://www.404media.co/email/7ba8cca7-96d2-487d-a1e3-5cc0de98fc4e/ An underground website called OnlyFake is claiming to use “neural networks” to generate realistic looking photos of fake IDs for just $15, radically disrupting the marketplace for fake identities and cybersecurity more generally. This technology, which 404 Media has verified produces fake IDs nearly instantly, could streamline everything from bank fraud to laundering stolen funds. In our own tests, OnlyFake created a highly convincing California driver's license, complete with whatever arbitrary name, biographical information, address, expiration date, and signature we wanted. The photo even gives the appearance that the ID card is laying on a fluffy carpet, as if someone has placed it on the floor and snapped a picture, which many sites require for verification purposes. 404 Media then used another fake ID generated by this site to successfully step through the identity verification process on OKX. OKX is a cryptocurrency exchange that has recently appeared in multiple court records because of its use by criminals. Rather than painstakingly crafting a fake ID by hand—a highly skilled criminal profession that can take years to master—or waiting for a purchased one to arrive in the mail with the risk of interception, OnlyFake lets essentially anyone generate fake IDs in minutes that may seem real enough to bypass various online verification systems. So what's the upshot for you? “The era of rendering documents using Photoshop is coming to an end,” an announcement posted to OnlyFake’s Telegram account read. So to recap: We start with a great misstep story about a bot infection of millions of toothbrushes from Fortinet that left more than toothpaste on their faces. We got an update on a huge (by volume) casino database log that was just left “open”. From there we went underground, literally, with a newly released disclosure from the London Underground about surveillance software that is being used to determine if the 25,000 people passing through each day were committing crimes or doing unsafe things. 19,000 alerts were sent to staff in real time. Then Apple did a flip flop on their endorsement of right to repair with the introduction of a new bill in Oregon that apparently would take a bigger bite than Apple is comfortable with. An update from Google provides a shocking statistic that commercial surveillance vendors were behind 80% of the zero day vulnerabilities on our devices. We finished with a trip down memory lane to the land of fake IDs. This time AI has made the process quick and cheap enough so that we’d bet, in the near future we are going to see a load of copy cats popping up. - click the pic to hear the podcast - And our quote of the week - “Being deeply loved by someone gives you strength, while loving someone deeply gives you courage.” - Lao Tzu That's it for this week. Stay safe, stay secure, stay in love and we'll see you in se7en! Episode 177 This week we start with your dear Gran. When’s the last time you called her to see how she was doing? After our first update we hope that call will happen within the next day or two. - click on the pic to hear the podcast - From there we move to a model corporate citizen in CloudFlare and discover further repercussion from last year’s Okta Breach and a remote desktop solution that could almost use their breech as a PR exercise. We are reminded that everyone on that Zoom call might not be as they seem, and find a glorious dip in ransomware payouts that hopefully indicate the new direction of ransomware attacks. Then... we go dark with a report that has probably crossed all of our minds since the Covid-19 outbreak. We get some good news for the environment from some joint work between MIT and IBM and we end with what some would call a regulatory imbalance. From empathy to entropy and back again this week’s update gets the balance right. US: Check on your Gran https://arstechnica.com/security/2024/01/scammers-liquidating-victims-life-savings-are-now-sending-live-couriers/ Scammers are stepping up their game by sending couriers to the homes of elderly people and others as part of a ruse intended to rob them of their life savings, the FBI said in an advisory Monday. “The FBI is warning the public about scammers instructing victims, many of whom are senior citizens, to liquidate their assets into cash and/or buy gold, silver, or other precious metals to protect their funds,” FBI officials with the agency’s Internet Crime Complaint Center said. “Criminals then arrange for couriers to meet the victims in person to pick up the cash or precious metals.” Officials said that from May to December of last year, they tracked estimated aggregate losses topping $55 million from this sort of scam. More generally, the agency received 19,000 complaints of scams from January to June of 2023, with estimated victim losses of $542 million. Almost half of the victims were over 60 years old and accounted for 66 percent of the aggregated losses. So what's the upshot for you? Scam tactics are becoming more aggressive against a demographic who may have less contact with others. Not everyone reads this blog or listens to this podcast, perhaps it's time you advocated they did. Global: Cloudflare hacked using auth tokens stolen in Okta attack https://www.securityweek.com/cloudflare-hacked-by-suspected-state-sponsored-attacker/ Web security and content delivery network (CDN) giant Cloudflare disclosed Feb 1st. that it was hacked by a threat actor using stolen credentials to access internal systems, code repositories, along with an AWS environment, as well as Atlassian, Jira and Confluence. The goal of the attack, Cloudflare says, was to obtain information on the company's infrastructure, likely to gain a deeper foothold. According to Cloudflare, more than 5,000 individual production credentials were rotated following the incident, close to 5,000 systems were triaged, test and staging systems were physically segmented, and every machine within the Cloudflare global network was reimaged and rebooted. So what's the upshot for you? Cloudflare run a pretty tight ship so it's both disheartening to see them compromised by last year's Okta data breach and sad, as apparently they had not gotten around to changing absolutely all the tokens compromised in the Okta breach. They have now! Global: AnyDesk says hackers breached its production servers, reset password https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/ AnyDesk is a remote access solution that allows users to remotely access computers over a network or the internet. The program is very popular with the enterprise, which use it for remote support or to access colocated servers. The software is also popular among threat actors who use it for persistent access to breached devices and networks. The company reports having 170,000 customers, including 7-Eleven, Comcast, Samsung, MIT, NVIDIA, SIEMENS, and the United Nations. AnyDesk says they first learned of the attack after detecting indications of an incident on their production servers. After conducting a security audit, they determined their systems were compromised and activated a response plan with the help of cybersecurity firm CrowdStrike. Threat actors stole source code and code signing certificates. AnyDesk says they have revoked security-related certificates and remediated or replaced systems as necessary. They also reassured customers that AnyDesk was safe to use and that there was no evidence of end-user devices being affected by the incident. While the company says that no authentication tokens were stolen, out of caution, AnyDesk is revoking all passwords to their web portal and suggests changing the password if it's used on other sites. So what's the upshot for you? We were not aware of Anydesk remote software until this breach. Depending on their handling of this situation it could actually turn out to be a public relations coup for the company. HK: Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’ https://www.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk/index.html This is two day old news but still holds some interesting secrets until all the details are revealed. A finance worker at a multinational firm was tricked into paying out $25 million to fraudsters using deepfake technology to pose as the company’s chief financial officer in a video conference call, according to Hong Kong police. The elaborate scam saw the worker duped into attending a video call with what he thought were several other members of staff, but all of whom were in fact deepfake recreations, Hong Kong police said at a briefing on Friday. “(In the) multi-person video conference, it turns out that everyone [he saw] was fake,” senior superintendent Baron Chan Shun-ching told the city’s public broadcaster RTHK. The scam involving the fake CFO was only discovered when the employee later checked with the corporation’s head office. So what's the upshot for you? Ask more questions. Deepfakes may get very good, but the responses are still slow. Any suspicions can be confirmed with a phone call to that individual. Global: Ransomware payment rates drop to new low – now 'only 29% of victims' pay https://www.theregister.com/2024/01/31/ransomware_payment_rates_drop/ Trusting a ransomware crew to honor a deal isn't the greatest idea, and the world seems to be waking up to that. It's claimed that number of victims who chose to pay dropped to a new low of 29 percent in the last quarter of 2023. The data from ransomware response and negotiation company Coveware continues a downward trend since it began monitoring in 2019, when it said the rate of companies choosing to pay ransomware actors was a whopping 85 percent. The reason for the change, Coveware founder and CEO Bill Siegel states in the company's latest quarterly report, comes down to awareness. Not only are more ransomware victims prepared for the inevitability of attacks by keeping better backups, Siegel points out, but several years of ransomware making top headlines – and associated stories of payments amounting to nothing – have led to a reluctance to trust data kidnappers. So what's the upshot for you? Any news about the degradation of ransomware numbers is good news. Interestingly "banning" payments made to ransomware extortionists had less of an overall effect on numbers of intances. Heightened awareness about ransomware attacks has allowed businesses to arm themselves with backup and recovery strategies. Global: The Human Domain of War https://www.rand.org/content/dam/rand/pubs/research_reports/RRA2500/RRA2520-1/RAND_RRA2520-1.pdf You only need to think back to Covid-19 and add in the recent 23&me breach and sprinkle in a bit of Elon's NeuralLink to understand the context of this recently published thesis: Recent advancements in biotechnology are reshaping perspectives on its role in warfare. While historically viewed as too risky for friendly forces, new technologies like mRNA vaccines, CRISPR gene editing, and brain-computer interfaces (BCIs) are altering strategic calculations. With more countries developing advanced biotech capabilities, the future of warfare is evolving rapidly. Biotechnology's potential in war is reminiscent of its dual role in past conflicts as both a weapon and a cure. Now, with AI algorithms and human-machine systems, warfare could involve hyper-sophisticated machines controlled by human thoughts and genetically targeted plagues. This 21st-century biotech revolution is challenging traditional notions of warfare. Future conflicts may feature enhanced warfighters with modified genomes, capable of surviving extreme combat conditions. As we delve into the implications of these technologies, it's clear that the human body is becoming a strategic domain in modern warfare. So what's the upshot for you? The research report starts with a vignette where a nation state creates a virus, innoculates its soldiers against that virus and then attacks a weakened "adversary". This is a thought provoking exercise, but one that is relevant to your understanding of the value of some of the material circulating that includes Personal Health information (PHI). US: MIT and IBM Find Clever AI Ways Around Brute-Force Math https://spectrum.ieee.org/mathematical-model-ai In a breakthrough for solving complex mathematical equations crucial in science and engineering, researchers have unveiled a new method harnessing brain-inspired neural networks. These equations, known as partial differential equations, model intricate physical systems involving multiple rates of change across space and time, from air flow around aircraft wings to the behavior of pollutants in the atmosphere. Traditionally, solving such equations demanded high-precision numerical methods, which are both time-consuming and computationally intensive. Enter data-driven surrogate models, like neural networks, which offer a simpler alternative but require vast amounts of data for training. Now, scientists have pioneered a fresh approach called physics-enhanced deep surrogate (PEDS) models. By integrating physics simulators into neural network training, these models can achieve unprecedented accuracy with just a fraction of the data previously needed. Testing PEDS on various physical systems, including diffusion and electromagnetic scattering, researchers found these models to be up to three times more accurate than conventional neural networks. Remarkably, they achieved this level of accuracy with only around 1,000 training points, drastically reducing the data requirement by a factor of 100. According to lead author Raphaël Pestourie, this innovative fusion of neural networks and scientific expertise opens doors to accelerating simulations in diverse fields, from weather forecasting to nuclear reactor analysis. So what's the upshot for you? This is an exciting development in an world where LLMs are supplanting Bitcoin in the consumption of datacenter resources. - click on the pic to hear the podcast - EU: Europe Regulates Its Way To Last Place https://www.wsj.com/economy/europe-regulates-its-way-to-last-place-2a03c21d From mergers to AI, the EU's aggressive rule-making hampers its ability to compete with China and the U.S. These are humbling times for Europe. The continent barely escaped recession late last year as the U.S. boomed. It is losing out to the U.S. on artificial intelligence, and to China on electric vehicles. There is one field where the European Union still leads the world: regulation. Having set the standard on regulating mergers, carbon emissions, data privacy, and e-commerce competition, the EU now seeks to do the same on AI. In December it unveiled a sweeping draft law that bans certain types of AI, tightly regulates others, and imposes huge fines for violators. Its executive arm, the European Commission, might investigate Microsoft's tie-up with OpenAI as potentially anticompetitive. Never before has "America innovates, China replicates, Europe regulates" so aptly captured each region's comparative advantage. The technocrats who staff the EU in Brussels aren't anti-free market. Just the opposite: they still believe in free trade, unlike the U.S. or China. Much of their regulation is aimed at protecting consumers and competition from meddling national governments. But there's a trade-off between consumer protection and the profit motive that drives investment and innovation, and the EU might be getting that trade-off wrong. For example, to preserve competition, European regulators have resisted mergers that leave just a handful of mobile phone carriers per market. As a result Europe now has 43 groups running 102 mobile operators serving a population of 474 million, while the U.S. has three major networks serving a population of 335 million, according to telecommunications consultant John Strand. China and India are even more concentrated. European mobile customers as a result pay only about a third of what Americans do. But that's why European carriers invest only half as much per customer and their networks are commensurately worse. Swedish telecommunications equipment manufacturer Ericsson's sales in Europe suffer in part because many carriers are too small and unprofitable to update to the latest 5G networks. "Europe has prioritized shorter-term low consumer prices at the expense of quality infrastructure," chief executive Borje Ekholm told me in Davos earlier this month. "I'm very concerned about Europe. We need to invest much more in infrastructure, in being digital." So what's the upshot for you? Get the balance right. So to recap: This week we start with your dear Gran. When’s the last time you called her to see how she was doing? It’s important to remember that older individuals may have less mobility and less opportunity to socialize, bouncing ideas and updates off each other. This demographic is being targeted like never before with scams: over the phone, computer and now in person. From there we move to a model corporate citizen in CloudFlare and discover further repercussion from last year’s Okta Breach. The had changed most of their tokens… but not all of them. This breach motivated a cleanup that got everything refreshed. We saw a solid, professional response from software maker Anydesk in the identification and remediation of their compromise, turning a negative situation into a more positive outcome. Ransomware payouts have taken a dip recently. This can only be good news to those who spent each day in fear of when it might happen to them. Thankfully better processes, backups, recoveries and understanding have put businesses back on the front foot in these encounters. We featured a report that talks through what the advances in genetic engineering, AI and neural implants might mean on the battlefield (as everything that can be used to fight wars will be). It’s a sobering, but enlightening consideration. We got some good news for the environment from some joint work between MIT and IBM in terms of faster, more efficient AI training and we ended with good intent from the EU to protect its citizens, backfiring somewhat in terms of trade and progress. Sometimes it’s hard to get the balance right. - click on the pic to hear the podcast - And our quote of the week - “Life is like riding a bicycle. To keep your balance, you must keep moving forward.” Albert Einstein That's it for this week. Stay safe, stay secure, stay balanced and we'll see you in se7en! Episode 176 This week the update gets dialed in: First via a new spy tool called Patternz then via a photo contest where we share who rates what in the race at the top. From there we have an update on the “Mother of all breaches” a newly surfaced collection of over 26 Billion records for you to wonder if you are part of. - click the pic to hear the podcast - It’s onto the the US’ efforts to thwart Chinese hacking within critical US infrastructure before we read a letter from a US senator to the NSA asking why they are buying up phone data on US Citizens. Then there is an update about Chat GPT placing random private conversations (including PII) in one users conversation list. Britain gives us a timeline for the development of AI ransomware and Russia goes dark. This week’s update might have you reminiscing about the physical security of an old payphone, but we’ll get you reconnected. - click the pic to hear the podcast - Global: Inside a Global Phone Spy Tool Monitoring Billions https://www.404media.co/inside-global-phone-spy-tool-patternz-nuviad-real-time-bidding/ A wide-spanning investigation by 404 Media reveals more details about a secretive spy tool that can tracks billions of phone profiles through the advertising industry called Patternz. Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability that starts with ads inside each app, and ends with the apps' users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people to build billions of profiles. 404 Media's investigation, based on now deleted marketing materials and videos, technical forensic analysis, and research from privacy activists, provides one of the clearest examinations yet of how advertisements in ordinary mobile apps can ultimately lead to surveillance by spy firms and their government clients through the real time bidding data supply chain. The mass monitoring tool in question is called Patternz. In a video uploaded to YouTube in January 2023 that was removed once 404 Media started to make inquiries, Rafi Ton, the CEO of Patternz, says “we analyze behavior of over 600,000 applications.” One slide he brings up during the video says that “the mobile phone becomes the de-facto tracking bracelet,” and suggests tracking can be achieved through “virtually any app that has ads.” The video appears to be a demonstration Ton is giving to potential clients for the Patternz system. The context of the pitch is for Patternz to counter COVID-19, but Ton acknowledges that the platform was built as a “homeland security platform.” In other marketing materials online, Patternz pitches itself specifically to “national security agencies.” So what's the upshot for you? be conservative with the apps you add to your phone. Understand that each app may have the potential to add something negative to the agenda. Uninstall the apps you don't need, provide the lowest level of permission to each and ... as the PM of Australia advocates, "turn your phone off every night for five minutes" (while you brush your teeth). Global: Mother of all breaches reveals 26 billion records https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/ The supermassive leak contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. The leak, which contains LinkedIn, Twitter, Weibo, Tencent, and other platforms’ user data, is almost certainly the largest ever discovered. There are data leaks, and then there’s this. A supermassive Mother of all Breaches (MOAB for short) includes records from thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases. So what's the upshot for you? Everyone should use strong, hard to guess passwords, enable multi-factor authentication on all important accounts, keep an eye for phishing and spear phishing attempts, check for password duplicates and immediately set up new protection for accounts that share the same passwords. US/CN: US Disabled Chinese Hacking Network Targeting Critical Infrastructure https://www.reuters.com/world/us/us-disabled-chinese-hacking-network-targeting-critical-infrastructure-sources-2024-01-29/ The U.S. government in recent months launched an operation to fight a pervasive Chinese hacking operation that successfully compromised thousands of internet-connected devices, Reuters reported Tuesday, citing two Western security officials and another person familiar with the matter. The Justice Department and Federal Bureau of Investigation sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign, the sources told Reuters. The Biden administration has increasingly focused on hacking, not only for fear nation states may try to disrupt the U.S. election in November, but because ransomware wreaked havoc on Corporate America in 2023. The hacking group at the center of recent activity, Volt Typhoon, has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities. Volt Typhoon has functioned by taking control of swaths of vulnerable digital devices around the world - such as routers, modems, and even internet-connected security cameras - to hide later, downstream attacks into more sensitive targets, security researchers told Reuters. This constellation of remotely controlled systems, known as a botnet, are of primary concern to security officials because they limit the visibility of cyber defenders that monitor for foreign footprints in their computer networks. So what's the upshot for you? "How it works is the Chinese are taking control of a camera or modem that is positioned geographically right next to a port or ISP (internet service provider) and then using that destination to route their intrusions into the real target," said a former official familiar with the matter. "To the IT team at the downstream target it just looks like a normal, native user that's sitting nearby." US: NSA Buys Americans' Internet Data Without Warrants, Letter Says https://static01.nyt.com/newsgraphics/documenttools/0117fa5f9ff7ae33/fe33e1ba-full.pdf The National Security Agency buys certain logs related to Americans' domestic internet activities from commercial data brokers, according to an unclassified letter by the agency. The letter, addressed to a Democratic senator and obtained by The New York Times, offered few details about the nature of the data other than to stress that it did not include the content of internet communications. Still, the revelation is the latest disclosure to bring to the fore a legal gray zone: Intelligence and law enforcement agencies sometimes purchase potentially sensitive and revealing domestic data from brokers that would require a court order to acquire directly. It comes as the Federal Trade Commission has started cracking down on companies that trade in personal location data that was gathered from smartphone apps and sold without people's knowledge and consent about where it would end up and for what purpose it would be used. In a letter to the director of national intelligence dated Thursday, the senator, Ron Wyden, Democrat of Oregon, argued that "internet metadata" -- logs showing when two computers have communicated, but not the content of any message -- "can be equally sensitive" as the location data the F.T.C. is targeting. He urged intelligence agencies to stop buying internet data about Americans if it was not collected under the standard the F.T.C. has laid out for location records. "The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Mr. Wyden wrote. So what's the upshot for you? Senator, Ron Wyden, Democrat of Oregon may be one of the few polititians in the US Senate that understands the nuances of today's tech. He is one of the good guys in among a very mixed bag of representatives in the US Senate. Global: ChatGPT is Leaking Passwords From Private Conversations of Its Users https://arstechnica.com/security/2024/01/ars-reader-reports-chatgpt-is-sending-him-conversations-from-unrelated-ai-users/ A link Ars reader Chase Whiteside included showed the chat conversation in its entirety. The URL disclosed additional credential pairs. The results appeared Monday morning shortly after reader Whiteside had used ChatGPT for an unrelated query. “I went to make a query (in this case, help coming up with clever names for colors in a palette) and when I returned to access moments later, I noticed the additional conversations,” Whiteside wrote in an email. “They weren't there when I used ChatGPT just last night (I'm a pretty heavy user). No queries were made—they just appeared in my history, and most certainly aren't from me (and I don't think they're from the same user either).” Other conversations leaked to Whiteside include the name of a presentation someone was working on, details of an unpublished research proposal, and a script using the PHP programming language. The users for each leaked conversation appeared to be different and unrelated to each other. The conversation involving the prescription portal included the year 2020. Dates didn’t appear in the other conversations. OpenAI officials say that the ChatGPT histories a user reported result from his ChatGPT account being compromised. The unauthorized logins came from Sri Lanka, an Open AI representative said. The user said he logs into his account from Brooklyn, New York. The user, Chase Whiteside, has since changed his password, but he doubted his account was compromised. He said he used a nine-character password with upper- and lower-case letters and special characters. He said he didn’t use it anywhere other than for a Microsoft account. He said the chat histories belonging to other people appeared all at once on Monday morning during a brief break from using his account. So what's the upshot for you? The episode, and others like it, underscore the wisdom of stripping out personal details from queries made to ChatGPT and other AI services whenever possible. Last March, ChatGPT-maker OpenAI took the AI chatbot offline after a bug caused the site to show titles from one active user’s chat history to unrelated users. - click the pic to hear the podcast - UK: British intelligence warns AI will cause surge in ransomware volume and impact https://therecord.media/british-intelligence-warns-ai-will-cause-surge-in-ransomware Ransomware attacks will increase in both volume and impact over the next two years due to artificial intelligence (AI) technologies, British intelligence has warned. Experts at NCSC, a part of the cyber and signals intelligence agency GCHQ, warned that AI tools were going to benefit different threat actors unevenly. At present, generative AI is already being used to create a “capability uplift in reconnaissance and social engineering” making both of these tasks “more effective, efficient, and harder to detect.” AI is also considered likely to assist with “malware and exploit development, vulnerability research and lateral movement by making existing techniques more efficient.” The good news according to the intelligence experts is that these more sophisticated uses of AI to enhance cyber operations are only likely to be available to the best resourced threat actors, and even then are “are unlikely to be realised before 2025.” James Babbage, the director general for threats at the National Crime Agency, stated: “Ransomware continues to be a national security threat. As this report shows, the threat is likely to increase in the coming years due to advancements in AI and the exploitation of this technology by cyber criminals. “AI services lower barriers to entry, increasing the number of cyber criminals, and will boost their capability by improving the scale, speed and effectiveness of existing attack methods,” warned Babbage, adding that cases of fraud and child sexual abuse would also likely be affected. So what's the upshot for you? We have a couple years breathing room before the use of AI gets really dangerous. Time to prepare. RU: Russia Hit With Widespread Internet Outage Across Country https://www.bloomberg.com/news/articles/2024-01-30/russia-hit-with-widespread-internet-outage-across-country Russia is facing a widespread internet outage that's affected users across the country, with access to websites on the local .ru domain down. The issue was linked to a technical problem with the .ru domain's global Domain Name System Security Extensions, or DNSSEC, which is used to secure data exchanged in internet protocol networks, Russia's Digital Ministry said in a statement on Telegram Tuesday. Websites including the most popular local search engine Yandex.ru, ecommerce leaders Ozon.ru and Wildberries.ru, and apps of the country's biggest banks -- Sberbank PJSC and VTB Group -- were all affected, state-run Ria reported, citing Downradar, a traffic monitoring service. So what's the upshot for you? It's hard to tell at this point whether this is self inflicted or not. Russia has taken the country offline before. - click the pic to hear the podcast - Global: The Battle of the Big Three: Which Smartphone Delivers the Best Images? https://petapixel.com/2024/01/30/the-battle-of-the-big-three-which-smartphone-delivers-the-best-images/ With the recent release of the Samsung S24 Ultra, North America now has three premium-priced phones that happen to compete in a very similar way against each other. The Apple iPhone 15 Pro Max, Google Pixel 8 Pro, and Samsung S24 Ultra, all have state-of-the-art displays, HDR-compliant photos and videos, and a 5X telephoto lens to compliment the main and ultra-wide cameras. "Due largely to the updated hardware in the Google Pixel 8 Pro and with a lot of weight given to individual lenses, the latest Google phone has a lot going for it. I love the raw file quality and overall color of the Pixel, but I wouldn’t rely on it for advanced video applications. As a photographer though, I feel that it delivers the best image quality out of the three phones we tested." "The iPhone 15 Pro Max comes up second with the best video quality and most convincing portraits. I love the images, and although Apple shields its more casual users from any scary manual controls, third-party apps can be used to unlock advanced photo control if desired." "Now the S24 Ultra may have scored last but it has the most second-place finishes owing to its versatile nature. It can handle almost anything well and might be the easiest choice for many users. I also appreciate the full-featured camera interface although some owners might find it a little intimidating." So what's the upshot for you? The iPhone Pro Max for portraits and video, Google Pixel 8 pro for general and night time shots and Samsung s24 Ultra as an easy to work with good all-rounder. So to recap: This week the update got phoned home: We updated you on a new tracking spy tool called Patternz. From there we had an update on the “Mother of all breaches” a newly surfaced collection of over 26 Billion records for you to wonder if you are part of. Much of this data may not even be new, but the collation of so much in one repository makes abusing it much easier. Then we moved on to the US’ efforts thwarting Chinese hacking into US infrastructure. We had senator Ron Wyden go public with at letter that asked why the NSA didn’t apply for warrants to get the data it needed rather than buying phone records from unsavory companies. Then there is an update about Chat GPT placing random private conversations (including PII) in one users conversation list (Open AI claimed his account was compromised). Britain gives us a timeline for the development of AI ransomware. The good news is it’s not being used now, but it’s only a matter of a year or two. We ended with a photo finish where Google’s Pixel Pro 8 stole the top spot with it’s huge sensor, Apple ruled in the portrait and video categories, and Samsung won out for easiest to use. And our quote of the week - "There's no chance that the iPhone is going to get any significant market share. No chance," - Steve Ballmer CEO Microsoft 2007. * *Apple recently surpassed Samsung as the world’s smartphone leader for the first time. According to data from the International Data Corp., Apple holds just over 20% of the global market share, a spot that Samsung held since 2010. That's it for this week. Stay safe, stay secure, don't forget to restart your phone while you brush your teeth and we'll see you “gleaming” in se7en! - click the pic to hear the podcast - Episode 175 As you were walking home from work did you ever feel like someone was watching you? In this weeks’ update we tell you why. We have some disturbing news on a cyber attack where the data from 1 million cancer patients is stolen, and then used to threaten and spam them. Mandiant discovers a Zero-day attack that could have allowed many businesses like hospitals to be compromised for up to 2 years before a patch was delivered. Microsoft’s executive suite got hacked by a Russian intelligence agency. Troy Hunt adds another 71 million emails addresses to his “haveIBeenPwned” database, which means, now is a great time to check and see if your emails are among them. We finish with stories about a couple of devices that are making the news: One detects skin cancer using AI and the other seemed to be minting Monero while it cleans your socks. This week’s IT Privacy and Security Update is full of surprises, but each and every one is delivered to you “Clean and Fresh smelling”! - click the pic to hear the podcast - US: The New Street Surveillance Hub https://sls.eff.org/ The new Street Surveillance Hub from the Electronic Frontier Foundation Is a "Must see" for those in the US to get the latest on survellience tech in use in the streets they live in, or pass through. The Hub contains detailed breakdowns of the type of surveillance systems used, from bodycams to biometrics, predictive policing software to gunshot detection microphones and drone-equipped law enforcement. It also has a full news feed so that concerned citizens can keep up with the latest US surveillance news; they can also contribute to the Atlas of Surveillance on the site. The Atlas, started in 2019, allows anyone to check what law enforcement is being used in their local area -- be it license plate readers, drones, or gunshot detection microphones. It can also let you know if local law enforcement is collaborating with third parties like home security vendor Ring to get extra information. Once people look into what's being deployed using their tax dollars, a lot of red flags are raised. Over the last few years America's thin blue line have not only been harvesting huge amounts of data themselves, but also buying it in from commercial operators. The result is a perfect storm on privacy -- with police, homeowners, and our personal technology proving to be a goldmine of intrusive information that's often misused. So what's the upshot for you? This is a great way to bring attention to just how many elements are or may be catalogueing your movements around town. - click the pic to hear the podcast - Global: Chrome Updates Incognito Warning To Admit Google Tracks Users In 'Private' Mode https://arstechnica.com/tech-policy/2024/01/chrome-updates-incognito-warning-to-admit-google-tracks-users-in-private-mode/ Further to our coverage of this story a couple weeks back, Google is updating the warning on Chrome's Incognito mode to make it clear that Google and websites run by other companies can still collect your data in the web browser's semi-private mode. So what's the upshot for you? This is actually good information for Chrome users to understand. Their activities are not private even when in incognito mode. US: Breaches lead to Email threats to Cancer patients https://www.seattletimes.com/seattle-news/health/email-threats-to-patients-escalate-after-fred-hutch-cyberattack/ Concerns have grown in recent weeks about data privacy and the ongoing impacts of a recent Fred Hutchinson Cancer Center cyberattack that leaked personal information of about 1 million patients last November. Since the breach, which hit the South Lake Union (Washington state) cancer research center's clinical network and has led to a host of email threats from hackers and lawsuits against Fred Hutch, menacing messages from perpetrators have escalated. Some patients have started to receive "swatting" threats, in addition to spam emails warning people that unless they pay a fee, their names, Social Security and phone numbers, medical history, lab results and insurance history will be sold to data brokers and on black markets. Steve Bernd, a spokesperson for FBI Seattle, Washington said last week there's been no indication of any criminal swatting events... Other patients have been inundated with spam emails since the breach... According to The New York Times, large data breaches like this are becoming more common. In the first 10 months of 2023, more than 88 million individuals had their medical data exposed, according to the Department of Health and Human Services. Meanwhile, the number of reported ransomware incidents, when a specific malware blocks a victim's personal data until a ransom is paid, has decreased in recent years — from 516 in 2021 to 423 in 2023, according to Bernd of FBI Seattle. In Washington, the number dropped from 84 to 54 in the past three years, according to FBI data. Fred Hutchinson Cancer Center believes their breach was perpetrated outside the U.S. by exploiting the "Citrix Bleed" vulnerability (which federal cybersecurity officials warn can allow the bypassing of passwords and mutifactor authentication measures). The article adds that in late November, the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center "urged hospitals and other organizations that used Citrix to take immediate action to patch network systems in order to protect against potentially significant ransomware threats." So what's the upshot for you? Many hospitals and hospital systems rely on software that needs to be tested thoroughly before deployment to ensure critical infrastructure remains available. Consequently, there can be gaps between the release of software patches and their application to the environment. Miscreants leverage those gaps to compromise the data of large healthcare providers. Do we see a clear path to preventing this type of compromise? Better layering of security and the identification and encryption of sensitive data. Looking at data handling and protection holistically may not be the typical approach at some healthcare facilities, but that needs to change. CN: Chinese hackers exploit VMware bug as zero-day for two years https://www.bleepingcomputer.com/news/security/chinese-hackers-exploit-vmware-bug-as-zero-day-for-two-years/ While, until now, Mandiant didn't know how the attackers gained privileged access to victims' VMWare vCenter servers, the link was made evident in late 2023 by a VMware vmdird service crash minutes before the backdoors' deployment closely matching CVE-2023-34048 exploitation. "While publicly reported and patched in October 2023, Mandiant has observed these types of crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability," Mandiant said on Friday. "Most environments where these crashes were observed had log entries preserved, but the 'vmdird' core dumps themselves were removed. VMware's default configurations keep core dumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the attacker in an attempt to cover their tracks." UNC3886 is known for focusing on organizations in the defense, government, telecom, and technology sectors in the United States and the APJ region. The Chinese cyberspies' favorite targets are zero-day security flaws in firewall and virtualization platforms that don't have Endpoint Detection and Response (EDR) capabilities that would make it easier to detect and block their attacks. So what's the upshot for you? This is an example of software that is popular with healthcare providers. Now imagine an infestation of your systems for a year and a half before this vulnerability was discovered. Global: Microsoft Executive Emails Hacked By Russian Intelligence Group https://www.cnbc.com/2024/01/19/microsoft-executive-emails-hacked-by-russian-intelligence-group-company-says.html In a regulatory filing on the 19th, Microsoft said that a Russian intelligence group hacked into some of the company's top executives' email accounts. Nobelium, the same group that breached government supplier SolarWinds in 2020, carried out the attack. The announcement comes after new U.S. requirements for disclosing cybersecurity incidents went into effect. In late November, the group accessed "a legacy non-production test tenant account," Microsoft's Security Response Center wrote in the blog post. After gaining access, the group "then used the account's permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents," the corporate unit wrote. The company's senior leadership team, including finance chief Amy Hood and president Brad Smith, regularly meets with CEO Satya Nadella. The U.S. government and Microsoft consider Nobelium to be part of the Russian foreign intelligence service SVR. So what's the upshot for you? it happens to the best of them! AU: Have I Been Pwned Adds 71 Million Emails From Naz.API Stolen Account List https://haveibeenpwned.com/ https://www.bleepingcomputer.com/news/security/have-i-been-pwned-adds-71-million-emails-from-nazapi-stolen-account-list/ Have I Been Pwned has added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware. Credential stuffing lists are collections of login name and password pairs stolen from previous data breaches that are used to breach accounts on other sites. Information-stealing malware attempts to steal a wide variety of data from an infected computer, including credentials saved in browsers, VPN clients, and FTP clients. This type of malware also attempts to steal SSH keys, credit cards, cookies, browsing history, and cryptocurrency wallets. Regardless of how the credentials are stolen, they are then used to breach accounts owned by the victim, sold to other threat actors on cybercrime marketplaces, or released for free on hacker forums to gain reputation amongst the hacking community. To check if your credentials are in the Naz.API dataset, you can visit Have I Been Pwned. So what's the upshot for you? We think it's a good idea to periodically check your emails against Troy's website. Hopefully your data was not part of this massive breach collection... but you won't know until you check. US: New AI skin cancer detection device gets FDA approval https://digialps.com/the-first-ai-medical-device-that-can-detect-all-major-skin-cancers-just-received-fda-approval/ On January 17, 2024, the US Food and Drug Administration (FDA) announced it had cleared DermaSensor as the first AI-powered medical device able to detect the three most common types of skin cancer: melanoma, basal cell carcinoma, and squamous cell carcinoma. Developed by medical technology company DermaSensor, Inc., the device uses a non-invasive light-based technology called elastic scattering spectroscopy (ESS) to analyze suspicious lesions on a cellular level and provide real-time cancer risk assessments to guide physicians. DermaSensor looks similar to a smartphone with a pointed tip on the bottom that is used to scan skin lesions. When the tip touches the skin, it projects different wavelengths of light that penetrate the skin and interact with cells. Healthy cells absorb and reflect light differently than cancerous cells based on changes at the subcellular level. An integrated AI model can analyze these light interaction patterns and identify characteristics associated with specific types of skin cancer Within seconds of scanning a mole or lesion, DermaSensor can provide physicians with an automatic risk assessment of either “investigate further” or “monitor”. This gives doctors an objective second opinion to aid biopsy decisions and diagnoses without having to rely solely on visual examination or their subjective judgment, which can sometimes miss subtle signs of cancer. The device does not make a formal cancer diagnosis but flags suspicious lesions for closer evaluation by a dermatologist. So what's the upshot for you? This is great news and we look forward to the day when tech like this is integrated into our phones. - click the pic to hear the podcast - US: LG Washing Machine Found Sending 3.7 GB of Data a Day https://www.tomshardware.com/networking/your-washing-machine-could-be-sending-37-gb-of-data-a-day An LG washing machine owner discovered that his smart home appliance was uploading an average of 3.66GB of data daily. "Concerned about the washer's internet addiction, Johnie forced the device to go cold turkey and blocked it using his router UI," reports Tom's Hardware. Johnie's initial screenshot showed that on a chosen day, the device uploaded 3.57GB and downloaded about 100MB, and the data traffic was almost constant. Meanwhile, according to the Asus router interface screenshot, the washing machine accounted for just shy of 5% of Johnie's internet traffic daily. The LG washing machine owner saw the fun in his predicament and joked that the device might use Wi-Fi for "DLCs (Downloadable Laundry Cycles)." He wasn't entirely kidding: The machine does download presets for various types of apparel. However, the lion's share of the data transferred was uploaded. Working through the thread, we note that Johnie also pondered the possibility of someone using his washing machine for crypto mining. "I'd gladly rent our LPU (Laundry Processing Unit) by the hour," he quipped. Again, there was the glimmer of a possibility that there could be truth behind this joke. Another social media user highlighted a history of hackers taking over LG smart-connected appliances. The SmartThinQ home appliances HomeHack vulnerability was patched several weeks after being made public. A similar modern hack might use the washing machine's computer resources as part of a botnet. Taking control of an LG washing machine as part of a large botnet for cryptocurrency mining or nefarious networking purposes wouldn't be as far-fetched as it sounds. Large numbers of relatively low-power devices can be formidable together. One of the more innocent theories regarding the significant data uploads suggested laundry data was being uploaded to LG so it could improve its LLM (Large Laundry Model). It sought to do this to prepare for the launch of its latest "AI washer-dryer combo" at CES, joked Johnie. So what's the upshot for you? It appears that the average upload of data to LG from most washing machines is 1 meg a day, so in this case the router providing the breakout could be to blame for misreporting, however it does highlight the potential for IoT devices (like this washer) to be compromised and used for far more varied purposes than simply cleaning our clothes, and what would they be called "WashBots"? - click the pic to hear the podcast - So to recap: This week we started with the feeling that someone was watching us and shared the EFF’s new Street Surveillance Hub. We’d like to see versions of this in the UK and CN too please! We moved onto a story that is appauling where the data from 1 million cancer patients was stolen, and then used to threaten and spam them. We feel like that’s as low as you can go, but with the high numbers of data breaches at healthcare facilities last year, we know there are lower lows on the horizon. Mandiant announced a Zero-day attack and fresh evidence that points to many businesses and hospitals being compromised for up to 1 1/2 years before VMWare delivered a patch. Microsoft had to make a new mandatory SEC filing that named most of their executive suite as victims of a Russian intelligence service. Troy Hunt adds another 71 million emails addresses to his “haveIBeenPwned” database, which means, now is a great time to check and see if your emails are among them. If you have not used his site before, it is secure (Many countries use it for their own references) and worth getting to know. We finished with stories about a couple of devices that are making the news: One, about the size of a phone, detects skin cancer using AI while the other seemed to be minting Monero as it did the rinse and spin. And our quote of the week - “The washing machine changed the world more than the Internet.” - Ha-Joon Chang (South Korean Economist) That's it for this week. Stay safe, stay secure, clean and fresh smelling and we'll see you in se7en! The IT Privacy and Security Weekly update Gets Pumped for the week Ending January 16th. 20241/16/2024 Episode 174 This week we are pumping, probing, questioning and querying on all fronts. We start with a couple of fan faves from the Consumer Electronics show, but wonder if we’ll get as much use out of them as the V-logging contingent. - click the pic to hear the podcast - From there we siphon out some subtle word-smithing that might mean we are not the only ones left quaking in our boots. Apple, the company selling us on the importance of privacy, drops another privacy bomb on us. We tap into supply-side typo that should have everyone in San Francisco more than a little angry at the lack of due care and attention being paid by their judges The Emmy’s are over yet Reddit pushes out an update about being chased by the movie studios and it doesn’t to want to be caught in this spotlight. The swell of Quantum computing-proof encryption difficulties continues to grow with another set of vulnerabilities exposed. And we finish this week with a story about a water pump that “spills” a little more detail from one of the biggest security mysteries in years. The pace is bumping, the beat is thumping, the stories pumping so let’s get jumping. US: Most coveted, covered accessory From the CES? https://www.tomsguide.com/news/best-of-ces-awards-2024 https://www.wired.com/gallery/best-of-ces-2024/ From this year's Consumer Electronics Show the most regular mention goes to a feature rich phone charger: Belkin’s Auto-Tracking Stand Pro With DockKit ($180). This MagSafe charger for the iPhone launches very soon and doubles as a 360-degree swiveling tripod for your iPhone’s camera. The interesting thing here is that you don’t have to do anything to make sure you’re always framed properly in the shot. It’s one of the first products to support Apple’s Works With DockKit program, and this allows the Stand Pro to pair with the iPhone’s camera via NFC. After pairing, the device will swivel to always try and keep you in the frame, whether you’re using the rear or selfie camera. It also doesn’t matter which app you’re using to access the camera. You can dock the iPhone and start a presentation in Microsoft Teams or you can start filming a dance on Instagram Stories and move around the room with no worries of not being in the scene. It can be plugged into the wall or run off a battery for around five hours. - click the pic to hear the podcast - Slightly more radical is our Fav.: The Supernal S-A2. Normally you avoid all talk of flying cars at consumer electronics shows, but Supernal's eVTOL, the S-A2, is clearly much more than a pipe dream for the company, a division of the Hyundai Motor Group. If Supernal is true to its word, you'll see this all-electric pilot-plus-four-passenger vehicle in the skies in just four years time, whisking people over distances of 25 to 40 miles at max speeds of 120 mph at up to 1,500 feet above the ground. Not only is the design striking (and honed using bio-mimicry based on, of all things, the shapes of bees), it's apparently going to be almost unfathomably quiet. In the vertical takeoff and landing phases, it clocks at 65 dB, which is less noisy than your dishwasher. So what's the upshot for you? Ok, so until you get your very own vertical take off and landing craft, you may have to make due with a phone charger that follows you around the room. Vloggers rejoice, both items will be perfect for your upcoming podcasts! US: OpenAI Quietly Deletes Ban On Using ChatGPT For 'Military and Warfare' https://theintercept.com/2024/01/12/open-ai-military-ban-chatgpt/ https://web.archive.org/web/20240109122522/https:/openai.com/policies/usage-policies OpenAI this week quietly deleted language expressly prohibiting the use of its technology for military purposes from its usage policy, which seeks to dictate how powerful and immensely popular tools like ChatGPT can be used. Up until January 10, OpenAI's "usage policies" page included a ban on "activity that has high risk of physical harm, including," specifically, "weapons development" and "military and warfare." That plainly worded prohibition against military applications would seemingly rule out any official, and extremely lucrative, use by the Department of Defense or any other state military. The new policy retains an injunction not to "use our service to harm yourself or others" and gives "develop or use weapons" as an example, but the blanket ban on "military and warfare" use has vanished. "OpenAI is well aware of the risk and harms that may arise due to the use of their technology and services in military applications," said Heidy Khlaaf, engineering director at the cybersecurity firm Trail of Bits and an expert on machine learning and autonomous systems safety, citing a 2022 paper she co-authored with OpenAI researchers that specifically flagged the risk of military use. "There is a distinct difference between the two policies, as the former clearly outlines that weapons development, and military and warfare is disallowed, while the latter emphasizes flexibility and compliance with the law," she said. "Developing weapons, and carrying out activities related to military and warfare is lawful to various extents. The potential implications for AI safety are significant. Given the well-known instances of bias and hallucination present within Large Language Models (LLMs), and their overall lack of accuracy, their use within military warfare can only lead to imprecise and biased operations that are likely to exacerbate harm and civilian casualties." So what's the upshot for you? Slightly worried after this update? We are. CN/US: Apple knew AirDrop users could be identified and tracked as early as 2019 https://edition.cnn.com/2024/01/12/tech/china-apple-airdrop-user-encryption-vulnerability-hnk-intl/index.html https://www.macrumors.com/2024/01/09/airdrop-cracked-chinese-authorities/ Security researchers warned Apple as early as 2019 about vulnerabilities in its AirDrop wireless sharing function that Chinese authorities claim they recently used to track down users of the feature, the researchers told CNN, in a case that experts say has sweeping implications for global privacy. The Chinese government's actions targeting a tool that Apple customers around the world use to share photos and documents -- and Apple's apparent inaction to address the flaws -- revive longstanding concerns by US lawmakers and privacy advocates about Apple's relationship with China and about authoritarian regimes' ability to twist US tech products to their own ends. AirDrop lets Apple users who are near each other share files using a proprietary mix of Bluetooth and other wireless connectivity without having to connect to the internet. The sharing feature has been used by pro-democracy activists in Hong Kong and the Chinese government has cracked down on the feature in response. A Chinese tech firm, Beijing-based Wangshendongjian Technology, was able to compromise AirDrop to identify users on the Beijing subway accused of sharing "inappropriate information," judicial authorities in Beijing said this week. Although Chinese officials portrayed the exploit as an effective law enforcement technique, internet freedom advocates are urging Apple to address the issue quickly and publicly. So what's the upshot for you? This is the second massive compromise to Apple user privacy in the last few weeks. Apple is starting to look more like the Israeli spyware company NSO group than a tech firm. US: A Geofence Warrant Typo Cast a Location Dragnet Spanning Two Miles Over San Francisco https://techcrunch.com/2024/01/11/geofence-warrant-dragnet-error/ Civil liberties advocates have long argued that "geofence" search warrants are unconstitutional for their ability to ensnare entirely innocent people who were nearby at the time a crime was committed. But errors in the geofence warrant applications that go before a judge can violate the privacy of vastly more people -- in one case almost two miles away. Attorneys at the ACLU of Northern California found what they called an "alarming error" in a geofence warrant application that "resulted in a warrant stretching nearly two miles across San Francisco." The error, likely caused by a typo, allowed the requesting law enforcement agency to capture information on anyone who entered the stretch of San Francisco erroneously marked on the search warrant. "Many private homes were also captured in the massive sweep," wrote Jake Snow, ACLU staff attorney, in a blog post about the findings. It's not known which law enforcement agency requested the nearly two-mile-long geofence warrant, or for how long the warrant was in effect. The attorneys questioned how many other geofence warrant application mistakes had slipped through and resulted in the return of vastly more data in error. So what's the upshot for you? What may be more concerning is the fact that the judge who signed off on that warrant didn't question the scope of it either. US: 3rd Time Lucky? Reddit Must Share IP Addresses of Piracy-Discussing Users, Film Studios Say https://arstechnica.com/tech-policy/2024/01/film-studios-demand-ip-addresses-of-people-who-discussed-piracy-on-reddit/ For the third time in under a year, film studios are pressing Reddit to reveal users allegedly discussing piracy, despite two prior failed attempts. Studios including Voltage Holdings and Screen Media have filed fresh motions to compel Reddit to comply with a subpoena seeking IP addresses and logs of six Redditors, claiming the information is needed for copyright suits against internet provider Frontier Communications. The same federal judge previously denied the studios' bid to unmask Reddit users, citing First Amendment protections. However, the studios now argue IP addresses fall outside privacy rights. Reddit maintains the new subpoena fails to meet the bar for identifying anonymous online speakers. So what's the upshot for you? Copyright suits for studios should not be something that Reddit is involved in. Global: Post-Quantum Encryption Algorithm KyberSlash Patched After Side-Channel Attack Discovered https://www.bleepingcomputer.com/news/security/kyberslash-attacks-put-quantum-encryption-projects-at-risk/ "Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption, are vulnerable to a set of flaws collectively referred to as KyberSlash, which could allow the recovery of secret keys." Crystals-Kyber "was chosen to be the U.S. government's post-quantum cryptography system of choice last year, but a side-channel attack has been identified. But in the article, NIST says that this is an implementation-specific attack (the reference implementation) and not a vulnerability in Kyber itself." Backstory: the goal with the next encryption algorythm is to have something that is Quantum computer crack proof. CRYSTALS-Kyber is the official implementation of the Kyber key encapsulation mechanism (KEM) for quantum-safe algorithm (QSA) and part of the CRYSTALS (Cryptographic Suite for Algebraic Lattices) suite of algorithms. It is designed for general encryption... The KyberSlash flaws are timing-based attacks arising from how Kyber performs certain division operations in the decapsulation process, allowing attackers to analyze the execution time and derive secrets that could compromise the encryption. If a service implementing Kyber allows multiple operation requests towards the same key pair, an attacker can measure timing differences and gradually compute the secret key... In a KyberSlash1 demo on a Raspberry Pi system, the researchers recovered Kyber's secret key from decryption timings in two out of three attempts... On December 30, KyberSlash2 was patched following its discovery and responsible reporting by Prasanna Ravi, a researcher at the Nanyang Technological University in Singapore, and Matthias Kannwischer, who works at the Quantum Safe Migration Center. So what's the upshot for you? This is big news for those in security, because so much effort from an international community has gone into finding the next generation of encryption. Entities now are already stockpiling encrypted data in the hopes that current encryption will be easily cracked using quantum computers. - click the pic to hear the podcast - NL: Water Pump Used To Get $1 Billion Stuxnet Malware Into Iranian Nuclear Facility https://www.securityweek.com/dutch-engineer-used-water-pump-to-get-billion-dollar-stuxnet-malware-into-iranian-nuclear-facility-report/ Background: Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. A Dutch engineer recruited by the country's intelligence services used a water pump to deploy the now-infamous Stuxnet malware in an Iranian nuclear facility, according to a two-year investigation conducted by Dutch newspaper De Volkskrant. Stuxnet, whose existence came to light in 2010, is widely believed to be the work of the United States and Israel, its goal being to sabotage Iran's nuclear program by compromising industrial control systems (ICS) associated with nuclear centrifuges. The malware, which had worm capabilities, is said to have infected hundreds of thousands of devices and caused physical damage to hundreds of machines. De Volkskrant's investigation, which involved interviews with dozens of people, found that the AIVD, the general intelligence and security service of the Netherlands, the Dutch equivalent of the CIA, recruited Erik van Sabben, a then 36-year-old Dutch national working at a heavy transport company in Dubai. Van Sabben was allegedly recruited in 2005 -- a couple of years before the Stuxnet malware was triggered -- after American and Israeli intelligence agencies asked their Dutch counterpart for help. However, the Dutch agency reportedly did not inform its country's government and it was not aware of the full extent of the operation. Van Sabben was described as “perfect for the job” as he had a technical background, he was doing business in Iran and was married to an “Iranian woman”. It's believed that the Stuxnet malware was planted on a water pump that the Dutch national installed in the nuclear complex in Natanz, which he had infiltrated. It's unclear if Van Sabben knew exactly what he was doing, but his family said he appeared to have panicked at around the time of the Stuxnet attack. Michael Hayden, who at the time was the chief of the CIA, did agree to talk to De Volkskrant, but could not confirm whether Stuxnet was indeed delivered via water pumps due to it still being classified information. One interesting piece of information that has come to light in De Volkskrant's investigation is that Hayden reportedly told one of the newspaper's sources that it cost between $1 and $2 billion to develop Stuxnet. So what's the upshot for you? Pump it. The details of the mysterious Stuxnet are finally starting to flow. So to recap: This week we started with a couple of fan faves from the Consumer Electronics show, an iPhone phone charger that can turn 360 degrees as it tracks your face around the room, and a flying car that is more quiet than your dishwasher. From there we tracked down a slight alteration in the Open AI policy that, now allows military use of their AI. We find out that Apple knew that Chinese authorities were tracking IP addresses and thereby the identities of AirDrop senders way back in 2019 We tapped into a supply-side typo that meant that everyone within a 2-mile radius in San Francisco had their activities included in a 2 mile police sweep. Reddit goes back to court for a third time in a year as movie studios try to discover the identities of people sharing their films Quantum computing-proof encryption efforts take another hit as a compromise called Kyberslash is used to recover secret keys ....And we finished with some investigative journalism into the Stuxnet worm and how a Dutch engineer installed it and a water pump used in a massive Iranian infrastructure take-down. And our quote of the week - “Good thinkers always prime the pump of ideas. They always look for things to get the thinking process started, because what you put in always impacts what comes out.” - John C. Maxwell That's it for this week. Stay safe, stay secure, get pumped up and we'll see you in se7en! The IT Privacy and Security Weekly update with Space, man... for the week Ending January 9th. 20241/9/2024 Episode 173 This week we need some space, man. We start with phones and cellphone towers in low Earth orbit, then we move on to one of the most intriguing iPhone compromises we’ve ever heard and we have heard plenty. Who is behind this one? That’s for you to decide. From there we learn about a Mandiant account hijack (wait aren’t they one of the most elite security companies? Weren’t they the second most expensive company that Google ever purchased?) Then we have a section of the update for slow learners, and we promise it’s not this audience! Then it's: “why we need to patch our Windows machines” before a story about catching a pest that finds a new home every Sunday. We end with an update that is good enough to be out of the Jetsons. This is the best IT Privacy and Security Update so far this year! We love it and we know you will too! - click the pic to hear the podcast - LEO: Starlink launches first “cellphone towers in space” for use with LTE phones https://arstechnica.com/tech-policy/2024/01/spacex-launches-first-starlink-satellites-that-will-work-with-t-mobile-phones/ Just after the release of last week's podcast, SpaceX launched the first six Starlink satellites that will provide cellular transmissions for customers of T-Mobile and other carriers. SpaceX said it launched 21 satellites overall, including "the first six Starlink satellites with Direct to Cell capabilities that enable mobile network operators around the world to provide seamless global access to texting, calling, and browsing wherever you may be on land, lakes, or coastal waters without changing hardware or firmware. The enhanced Starlink satellites have an advanced modem that acts as a cellphone tower in space, eliminating dead zones with network integration similar to a standard roaming partner," the company said. Besides T-Mobile in the US, other carriers are Rogers in Canada, KDDI in Japan, Optus in Australia, One NZ in New Zealand, Salt in Switzerland, and Entel in Chile and Peru. While SpaceX CEO Elon Musk wrote that the satellites will "allow for mobile phone connectivity anywhere on Earth," he also described a significant bandwidth limit, "it is not meaningfully competitive with existing terrestrial cellular networks." So what's the upshot for you? From US carrier T-mobile, "Initially, the service will begin with text messaging, with voice and data coverage to follow in the coming years." Carrier testing of the functionality is due to begin soon. RU: Kaspersky discloses iPhone hardware feature vital in Operation Triangulation case https://www.kaspersky.com/about/press-releases/2023_kaspersky-discloses-iphone-hardware-feature-vital-in-operation-triangulation-case Security researchers at Kaspersky have uncovered a significant hardware-based vulnerability in Apple devices, exploited in a recent 0-click iMessage attack. This undisclosed hardware feature enabled attackers to bypass established security measures and gain control over protected memory regions. Apple has since addressed the issue (CVE-2023-38606). The obscure nature of this feature posed a challenge for detection, requiring extensive reverse engineering by Kaspersky's researchers. The process involved a deep dive into iPhone hardware and software integration, focusing on Memory-Mapped I/O (MMIO) addresses crucial for CPU-peripheral communication. We know that all Apple iPhones containing the A12 through A16 chipsets contain this backdoor and always will. We don't know that it’s the only backdoor those chipsets contain. But Apple doesn’t need another backdoor since they still have access to this one. They locked a door in front of this one (with the latest updates) but they can always unlock it. After being contacted by Kaspersky, Apple’s iOS updates blocked the memory mapped IO access that was discovered being taken advantage of by malware. Apple is able to run any software they choose on their own phones. Which means that Apple still has access to this backdoor should they need to use it. And this means that they’ve lost plausible deniability. They have the ability to open any iPhone. So what's the upshot for you? So this poses a new problem for Apple when law enforcement now comes knocking with a court order, as it’s almost certain to, with way below the bar requests for random iPhone unlocking to “assist” in this or that case. Another fine mess for Apple. US: Mandiant, the security firm Google bought for $5.4 billion, gets its X account hacked https://arstechnica.com/security/2024/01/hacked-x-account-for-google-owned-security-firm-mandiant-pushes-cryptocurrency-scam/ Google-owned security firm Mandiant spent several hours trying to regain control of its account on X (formerly known as Twitter) last Wednesday after an unknown scammer hijacked it and used it to spread a link that attempted to steal cryptocurrency from people who clicked on it. Mandiant is one of the leading security companies and best known for helping clients investigate and recover from major network compromises. That vantage point gives it major insights into threat actors, many of them backed by nation-states, and the often previously unknown tactics, techniques, and procedures they use to compromise the security of some of the world’s most powerful and well-resourced organizations. Google purchased Mandiant in 2022 for $5.4 billion, which, at the time, was its second-biggest acquisition ever. Many questions remain about Mandiant's measures to secure its X account. Among them: Was it protected by a strong password and any form of two-factor authentication? Last month, someone claimed to have discovered the social media site was vulnerable to a “reflected XSS,” a type of vulnerability that can sometimes be used to compromise the security of accounts when a legitimate user currently logged in clicks on a malicious link in a different browser tab. The user said they reported the vulnerability through legitimate channels but that the submission didn’t qualify under the X bug bounty program. So what's the upshot for you? This validates the old saying regarding getting hacked: "It's not if, but when". Comprehensive, layered security makes all the difference and technologies are evolving that are reducing the inconvenience of increasing your security. US: LastPass will finally enforce a 12-character minimum master password https://www.theverge.com/2024/1/3/24024012/lastpass-master-password-12-character-minimum-requirement-data-breach Following a high-profile security breakdown in 2022, LastPass is finally imposing a 12-character minimum for customers’ master passwords. LastPass’ security woes are well documented — breaches in 2022 allowed hackers to steal customer vault data. If you were affected, this meant the only thing between a bad actor and all of your passwords was the master password used to secure your LastPass account. When all of this came to light a year ago — a year ago! — experts criticized the company for not enforcing the 12-character minimum on older accounts or updating other settings that increased security, like a new minimum standard for password hashing iterations. Finally, both settings will be applied to older accounts, too. So what's the upshot for you? Even if you’re not a LastPass customer, (and we sincerely hope you are not) consider this your sign to revisit critical passwords and double-check relevant settings. A few more characters could make all the difference. Global: For Microsoft, the first patch Tuesday of 2024 is a busy one. https://www.securityweek.com/microsoft-ships-urgent-fixes-for-critical-flaws-in-windows-kerberos-hyper-v/ Microsoft hit the ground running with the first Patch Tuesday release for 2024, rolling out security fixes for at least 49 security defects in a wide range of Windows OS and software components. The company called special attention to a pair of flaws with severe remote code execution risks, urging Windows fleet administrators to prioritize a feature bypass issue in Windows Kerberos and a race condition issue in Windows Hyper-V. The Windows Kerberos problem, tracked as CVE-2024-20674, is described as an authentication feature that could be bypassed to allow impersonation and carries a CVSS severity rating of 9 out of 10. Microsoft also urged immediate patching of the CVE-2024-20700 Windows Hyper-V vulnerability, warning that a race condition exposes the operating system to remote code execution attacks. So what's the upshot for you? The rollout also covers security problems in Microsoft Office, Azure, SQL Server, Internet Explorer, Windows LibArchive and SharePoint Server. Global: RAT campaign busted https://www.bleepingcomputer.com/news/security/stealthy-asyncrat-malware-attacks-targets-us-infrastructure-for-11-months/ A campaign delivering the AsyncRAT malware to select targets has been active for at least the past 11 months, using hundreds of unique loader samples and more than 100 domains. AsyncRAT is an open-source remote access tool (RAT) for Windows, publicly available since 2019, with functions for remote command execution, keylogging, data exfiltration, and dropping additional payloads. The tool has been heavily used by cybercriminals over the years, either as is or in modified form, for establishing a foothold on the target, stealing files and data, and deploying additional malware. In September, AT&T's Alien Labs team of researchers noticed "a spike in phishing emails, targeting specific individuals in certain companies" and started to investigate. “The victims and their companies are carefully selected to broaden the impact of the campaign. Some of the identified targets manage key infrastructure in the U.S.” - AT&T Alien Labs The attacks begin with a malicious email carrying a GIF attachment that leads to an SVG file that downloads an obfuscated JavaScript and PowerShell scripts. After passing some anti-sandboxing checks, the loader communicates with the command and control server and determines if the victim is eligible for the AsyncRAT infection. The hardcoded command and control domains are hosted on BitLaunch, a service that allows anonymous payments in cryptocurrency, a useful option for cybercriminals. So what's the upshot for you? This one is interesting in that it contains an algorithm to generate a new domain every Sunday for the RATs to report into. AT&T was able to decode the logic behind the domain generation system, and even predicted the domains that will be generated and assigned to the malware throughout January 2024. The domains used in the campaign follow a specific structure: are top level domains, use eight random alphanumeric characters, are registered in Nicenic.net, use South Africa for the country code, and are hosted on DigitalOcean, so at least now can be shut down. - click the pic to hear the podcast - US: Your own robotic personal assistant. The time is tantalizingly near https://twitter.com/MatthewBerman/status/1743675177437974730 https://mobile-aloha.github.io/ Matthew Berman reviewed a white-paper that we provide a link to and surmised Mobile Aloha might cost as little as $32k to build and is entirely open-source. "We are closer than we thought to ubiquitous household robots. All of the parts can be found and purchased right now, many of which can be found on Amazon. It uses imitation learning, by combining existing robotic data with human-controlled (teleoperated). It also uses basic hardware, like cheap webcams mapped to whole-body actions. Because of the battery and additional weight at the bottom (in red), it can lift heavy things without tipping over. And as mentioned, it is completely untethered, allowing it to move around the real world with ease. And it can generalize its learning to other behaviors. In one video, it learns to push in chairs and then pushes in other chairs it wasn't actually trained on." The developers have taken Google's ALOHA system augmented it with a mobile base, and a whole-body teleoperation interface. So what's the upshot for you? You train it initially. The AI model learns from your actions, so when presented with a similar situation reacts appropriately. With 50 demonstrations for each task, co-training can increase success rates by up to 90%, allowing Mobile ALOHA to autonomously complete complex mobile manipulation tasks such as sauteing and serving a piece of shrimp, opening a two-door wall cabinet to store heavy cooking pots, calling and entering an elevator, and lightly rinsing a used pan using a kitchen faucet. To recap: This week we got some space, man. Elon Musk and T-Mobile are preparing to test space phones and you know what? This tech will probably work on the phones we have right now! From there we went deep with the iPhone hack unravelled by security firm Kaspersky. Actually they probably would never have discovered this very clever memory mapping trick had they not been listening on their own network. The big question now when the cops come banging on Apple’s door for access to a phone is how does Apple say “no”? We found Mandiant with a hacked X (Twitter account) and the realization that layered security and inconvenience to hackers it the best policy, but it’s still not foolproof. And then, there it is! A year late, but LastPass finally enforces 12 character passwords and higher encryption on customer accounts. So now both remaining customers are protected, provided they changed all the passwords that were in LastPass’ backups. Next Microsoft went large with 49 updates for Windows while AT&T went small and buried a RAT. Finally we got to see the open source “Mobile Aloha” in action and perhaps had breakfast thrown in. Poor Rosie. And our quote of the week - “I visualize a time when we will be to robots what dogs are to humans, and I'm rooting for the machines.” - Claude Shannon That's it for this week. Stay safe, stay secure, please let Rosie in on your way out and we'll see you in se7en! The IT Privacy and Security Weekly update Feeling Good for the week Ending January 2nd. 20241/2/2024 Episode 172 This week we focus on our amazing kids. From the effect the phone we send them off with “to keep them safe” has, to an amazing 13 year old crushing a 34 year old arcade game. We even end with advice from a Nobel prize winner about what you might not want to study. From, the kids, we turn to Apple and what is going on between them and the world’s biggest democracy. We then follow Apple to a researcher who thinks he has found the perfect way to keep Apple Air tags from being used for tracking people. We get an update on the failure of the open source GPL (General Public License) and what one key figure thinks could replace it. The Google gets some bad news as it is denied a request to have a court case thrown out and then some great news on the safety record of it’s Waymo subsidiary. It’s a new dawn, it’s a new day it’s a new life… and we’re feeling good! - Click on the pic to hear the podcast- Global: Is the mobile phone making students dumber? https://www.oecd.org/publication/pisa-2022-results/ https://www.theatlantic.com/ideas/archive/2023/12/cell-phones-student-test-scores-dropping/676889/ The Programme for International Student Assessment (PISA) is a worldwide study by the Organisation for Economic Co-operation and Development (OECD) in member and non-member nations intended to evaluate educational systems by measuring 15-year-old school pupils' scholastic performance on mathematics, science, and reading. PISA found a few interesting phone related stats in its review of the 2022 data: First that students who spend less than one hour of “leisure” time on digital devices a day at school scored about 50 points higher in math than students whose eyes are glued to their screens more than five hours a day. This gap held even after adjusting for socioeconomic factors. Second, screens seem to create a general distraction throughout school, even for students who aren’t always looking at them. Andreas Schleicher, the director of the PISA survey, wrote that students who reported feeling distracted by their classmates’ digital habits scored lower in math. Finally, nearly half of students across the OECD said that they felt “nervous” or “anxious” when they didn’t have their digital devices near them. (On average, these students also said they were less satisfied with life.) This phone anxiety was negatively correlated with math scores. Hanging a big thesis like “phones are making kids dumber” on any particular survey is generally inadvisable. In fact, this would be a fair time to point out that PISA scores do not enjoy universal praise among education experts. As the saying goes, "Intelligence is whatever a test measures." But the latest PISA survey isn’t the only evidence that phones in schools are weapons of mass distraction. Studies have shown that students on their phone take fewer notes and retain less information from class, that “task-switching” between social media and homework is correlated with lower GPAs, that students who text a lot in class do worse on tests, and that students whose cellphones are taken away in experimental settings do better on tests. So what's the upshot for you? Could better grades be as simple as banning phones from the classroom? Results from a decade of observational research have now repeatedly shown a negative relationship between device use and life satisfaction, happiness, school attention, information retention, in-class note-taking, task-switching, and student achievement. And the cognitive and emotional costs are highest for those with the most “device dependence.” - Click on the pic to hear the podcast- US: 34 years and Tetris has finally been beaten https://www.thegamer.com/tetris-beaten-34-years/ https://youtu.be/uh5hRtEFwQI We're just two days into 2024 and already gaming history is being made. 13-year-old, Willis Gibson, has beaten the original NES Tetris, previously thought to be an impossible task, after 34 years. The assumption was that Tetris went on forever and ever until you finally run out of space. While that's mostly true, as the game has no story, levels, or any form of progress beyond high scores and increasing speed, you "beat" the game by crashing it, AKA reaching the "True Killscreen". It's called the "True Killscreen" because, for decades, it was assumed that level 29 was the Killscreen. For context, the longer you play Tetris, the faster the blocks fall, upping the ante as you're forced to think in split-second moments about where each piece should drop. The speed caps at level 29, making it near impossible to reach the sides. So, the community believed that was the 'end' of the game. It isn't. The end comes when you reach a level so high, Tetris simply crashes. So what's the upshot for you? Apparently Willis has not had much time for his phone (see previous story). What an uplifting start to 2024! IN: Amnesty International Confirms Apple's Warning to Journalists About Spyware-Infected iPhones https://techcrunch.com/2023/12/27/india-pressed-apple-on-state-sponsored-warnings-report-says/ Apple's warnings in late October that Indian journalists and opposition figures may have been targeted by state-sponsored attacks prompted a forceful counterattack from Prime Minister Narendra Modi's government. India has never confirmed nor denied using the Pegasus tool, but nonprofit advocacy group Amnesty International reported Thursday that it found NSO Group's invasive spyware on the iPhones of prominent journalists in India, lending more credibility to Apple's early warnings. "Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation," said the head of Amnesty International's Security Lab, in the blog post. The Pegasus spyware has existed for a significant amount of time, and is advertised and sold for use on high-value targets for multiple purposes, including high-level espionage on iOS, Android, and Blackberry. So what's the upshot for you? It feels wrong that the those elected into power in the world's largest democracy have to start adopting so many of the tools that autocrats use. Global: Researchers Come Up With Better Idea To Prevent AirTag Stalking https://www.wired.com/story/apple-airtag-privacy-stalking-cryptographic-solution/ https://eprint.iacr.org/2023/1332.pdf Apple's AirTags, designed for convenience, face misuse as potential tracking tools by abusers and criminals. Apple recently implemented alerts for iPhone and Android users, notifying them of nearby AirTags without the owner's iPhone, hinting at potential stalking. Researchers from Johns Hopkins and UC San Diego devised a cryptographic scheme to enhance detection of malicious AirTags while preserving user privacy. The solution combines "secret sharing" to protect static device identity and "error correction coding" to manage the influx of data in real-world scenarios. This innovation aims to mitigate the dark side of AirTags, addressing concerns about privacy invasion and misuse. So what's the upshot for you? “What I love about this problem is it seems like there are two competing requirements that can't be reconciled,” says Johns Hopkins cryptographer Matt Green. “But in cryptography, we can get full privacy and then, magically, the puzzle pieces click into place, or a ‘chemical reaction’ happens, and we phase-transition to a point where suddenly it’s obvious that this is a stalker, not just a benign AirTag. It's very powerful to be able to go between those two moments.” We hope it works! Global: What Comes After Open Source? Bruce Perens Is Working On It https://www.theregister.com/2023/12/27/bruce_perens_post_open/ Bruce Perens, a key figure in the Open Source movement, is spearheading the Post-Open Source movement. In an interview, he highlights issues with existing licenses, citing GPL circumvention by major players like Red Hat Enterprise Linux (RHEL), now under IBM. Perens emphasizes the failure of Open Source to benefit the common person, often serving proprietary systems. He introduces "Post-Open," proposing a fair corporate-developer relationship, free use for individuals and nonprofits, and simplified licensing. Post-Open aims to incentivize user-friendly applications by paying developers, funded by companies. So what's the upshot for you? Perens writes, " The problem is that Open Source has completely failed to serve the common person. For the most part, if they use us at all they do so through a proprietary software company's systems, like Apple iOS or Google Android, both of which use Open Source for infrastructure but the apps are mostly proprietary. The common person doesn't know about Open Source, they don't know about the freedoms we promote which are increasingly in their interest. Indeed, Open Source is used today to surveil and even oppress them." Free Software, Perens explains, is now 50 years old and the first announcement of Open Source occurred 30 years ago. "Isn't it time for us to take a look at what we've been doing, and see if we can do better? Perens acknowledges challenges but questions if this shift is even achievable. US: CBS, Paramount Owner National Amusements Says It Was Hacked https://techcrunch.com/2023/12/26/cbs-paramount-owner-national-amusements-hacked/ National Amusements, the cinema chain and corporate parent giant of media giants Paramount and CBS, has confirmed it experienced a data breach in which hackers stole the personal information of tens of thousands of people. The private media conglomerate said in a legally required filing with Maine's attorney general that hackers stole personal information on 82,128 people during a December 2022 data breach. Details of the December 2022 breach only came to light a year later, after the company began notifying those affected last week. According to Maine's notice, the company discovered the breach months later in August 2023, but did not say what specific personal information was taken. The data breach notice filed with Maine said that hackers also stole financial information, such as banking account numbers or credit card numbers in combination with associated security codes, passwords or secrets. So what's the upshot for you? With the US Securities and Exchange commission (SEC) updating breach notification requirements to 96 hours it will be interesting to see how discoveries like this are handled going forward. Taking a year to discover your client data was stolen may mean big fines for those making the discoveries. US: Someone's going to make some money over Google's tracking in Incognito mode, but it won't be you! https://arstechnica.com/tech-policy/2023/12/google-agrees-to-settle-in-chrome-incognito-mode-class-action-lawsuit/ Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over its Chrome browser's Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to "track, collect, and identify [users'] browsing data in real time" even when they had opened a new Incognito window. The lawsuit, filed by Florida resident William Byatt and California residents Chasom Brown and Maria Nguyen, accused Google of violating wiretap laws. It also alleged that sites using Google Analytics or Ad Manager collected information from browsers in Incognito mode, including web page content, device data, and IP address. The plaintiffs also accused Google of taking Chrome users' private browsing activity and then associating it with their already-existing user profiles. Google initially attempted to have the lawsuit dismissed by pointing to the message displayed when users turned on Chrome's incognito mode. That warning tells users that their activity "might still be visible to websites you visit." Judge Yvonne Gonzalez Rogers rejected Google's bid for summary judgment in August, pointing out that Google never revealed to its users that data collection continued even while surfing in Incognito mode. "Google’s motion hinges on the idea that plaintiffs consented to Google collecting their data while they were browsing in private mode,” Rogers ruled. “Because Google never explicitly told users that it does so, the Court cannot find as a matter of law that users explicitly consented to the at-issue data collection." According to the notice filed on Tuesday, Google and the plaintiffs have agreed to terms that will result in the litigation being dismissed. The agreement will be presented to the court by the end of January, with the court giving final approval by the end of February. So what's the upshot for you? We would love to know what the settlement amounts were, but no doubt there are NDAs (non-disclosure agreements) in place that prevent revealing that detail. US: 7.1 million miles, 3 minor injuries: Waymo’s safety data looks good https://arstechnica.com/cars/2023/12/human-drivers-crash-a-lot-more-than-waymos-software-data-shows/ Last Wednesday Waymo released new crash data based on the company's first 7.1 million miles of fully driverless operations in Arizona and California. The data shows that human-driven cars are more than twice as likely to get into a crash that is reported to the police. And depending on how you do the math, human-driven cars are four to seven times more likely to get into crashes that lead to an injury. Through October 2023, driverless Waymo vehicles have had only three crashes with injuries—two in the Phoenix area and one in San Francisco. Waymo says all three injuries were minor. If those same miles had been driven by typical human drivers in the same cities, we would have expected around 13 injury crashes. Waymo partnered with Swiss Re, a reinsurance company that has access to a comprehensive database of insurance claims. The Swiss Re study was based on 3.8 million miles of driving between Phoenix and San Francisco up through August 1. And it came to conclusions similar to Waymo’s new study. Swiss Re found that human-driven vehicles got into crashes involving property damage four times as often as Waymo vehicles. Fatal crashes only occur on the road about once every 100 million miles. This means that we’re going to need to test driverless vehicles for hundreds of millions—if not billions—of miles before we can be sure whether they cause fewer fatal crashes than human drivers. So what's the upshot for you? We suggest that in 10 years time you will look back and think how crazy it was to go out onto a public road with random drivers in 1,949 kg. (2.15 ton) vehicles and nothing more than supposed good judgement protecting you. It might take a few more years of real road tests, but automated driving is coming. UK: Nobel Prize Winner Cautions on Rush Into STEM https://www.bloomberg.com/news/articles/2024-01-02/nobel-prize-winner-cautions-on-rush-into-stem-after-rise-of-ai A Nobel Prize-winning labor market economist has cautioned younger generations against piling into studying science, technology, engineering, and mathematics (STEM) subjects, saying as "empathetic" and creative skills may thrive in a world dominated by artificial intelligence. Christopher Pissarides, professor of economics at the London School of Economics, said that workers in certain IT jobs risk sowing their "own seeds of self-destruction" by advancing AI that will eventually take the same jobs in the future. While Pissarides is an optimist on AI's overall impact on the jobs market, he raised concerns for those taking STEM subjects hoping to ride the coattails of the technological advances. He said that despite rapid growth in the demand for STEM skills currently, jobs requiring more traditional face-to-face skills, such as in hospitality and healthcare, will still dominate the jobs market. "The skills that are needed now -- to collect the data, collate it, develop it, and use it to develop the next phase of AI or more to the point make AI more applicable for jobs -- will make the skills that are needed now obsolete because it will be doing the job," he said in an interview. "Despite the fact that you see growth, they're still not as numerous as might be required to have jobs for all those graduates coming out with STEM because that's what they want to do." He added, "This demand for these new IT skills, they contain their own seeds of self destruction." So what's the upshot for you? Take every suggestion with a grain of salt as you prepare your resources for your forward career path. The most important thing to success in a career is to find something you love. So to recap: This week we focused on our amazing kids. We sank with the discovery of our children’s grades doing the same with the addition of that phone in their back pockets. Is it time to transfer the phone to a different school? It would seem so. From, the kids, we turned to Apple and the flack they are taking from the Modi Government in India, as confirmed by Amnesty International. Then, we got a new two part recipe to reduce the risk from Apple air tag stalking that Google, Samsung and Apple can implement. We learned of IBM’s brazen disregard for the Redhat’s general Public License, and the replacement licensing that Bruce Perens thinks we need to have corporate players compensate open source developers for their time and efforts. The Google quietly settles with three people outside of court over tracking while in incognito mode, and then rather less quietly informs us of Waymo’s excellent driverless safety record. It’s a new dawn, it’s a new day it’s a new life… and we’re feeling good! And our quote of the week - "I never lose. Either I win, or I learn." - Nelson Mandela Your Boxing Day IT Privacy and Security Weekly update for the week Ending December 26th. 202312/26/2023 Episode 171 If you missed getting that special someone that special gift, we have more solid ideas for you this week: A concept jet engine and the source code for Grand Theft Auto 5 as possible suggestions. We get some insight on why the compromise of your personally identifiable information is not something to take lightly as well as the world coming to realize that you can build a nuclear program on someone else blockchain. - click on the pic to hear the podcast - We get some great insight on just how easy it is to trick ChatGPT into divulging it’s training data. Then the US government slaps a 5 year ban on Rite Aid for using facial recognition software, just as the UK is sneaking a country wide integration into place. We end this week with something so basic a child could figure it out. And did. Leaving television content producers to catch up from behind. This brings us to the end of a year that has profoundly changed the course of humankind, from the decimation of animal species, to the environment, to each other. Let’s all learn from 2023 and make 2024 so much better. Come on! It’s boxing day and time to reveal your last gift. - click on the pic to hear the podcast - US: A New Type Of Jet Engine That Could Revive Supersonic Air Travel And Be At The Top Of Next Year's Gift List! https://www.economist.com/science-and-technology/2023/12/19/a-new-type-of-jet-engine-could-revive-supersonic-air-travel And for that lucky person last week who was gifted the jet engine: Well ....next year they are going to need something better, faster and more efficient than a Concorde jet engine and afterburner. Well, we found it for you! GE Aerospace, a major jet engine producer, is developing a rotating detonation engine (RDE) with potential applications in missiles, offering improved range and speed. Similarly, Raytheon, under a $29 million contract from America’s Defence Advanced Research Projects Agency, is working on the Gambit RDE. These engines could transcend their missile propulsion role, impacting aviation, potentially reviving supersonic air travel. Unlike conventional engines, RDEs use controlled explosions, employing detonation for a more powerful and efficient thrust. Simplifying the design, RDEs create a self-sustaining detonation, presenting a promising advancement in aerospace technology. So what's the upshot for you? Controlled explosions. That's the way forward in jet engines. - click on the pic to hear the podcast - Global: The source code for Grand Theft Auto 5 was reportedly leaked on Christmas Eve https://www.bleepingcomputer.com/news/security/gta-5-source-code-reportedly-leaked-online-a-year-after-rockstar-hack/ The source code for Grand Theft Auto 5 was reportedly leaked on Christmas Eve, a little over a year after the Lapsus$ threat actors hacked Rockstar games and stole corporate data. Links to download the source code were shared on numerous channels, including Discord, a dark web website, and a Telegram channel that the hackers previously used to leak stolen Rockstar data. In a post to a Grand Theft Auto leak channel on Telegram, the channel owner known as 'Phil' posted links to the stolen source code, sharing a screenshot of one of the folders. So what's the upshot for you? Happy Holidays to the gamers! US: Mint Mobile Discloses New Data Breach Exposing Customer Data https://www.bleepingcomputer.com/news/security/mint-mobile-discloses-new-data-breach-exposing-customer-data/ Mint Mobile has disclosed a new data breach that exposed the personal information of its customers, including data that can be used to perform SIM swap attacks. Mint is a US-based mobile virtual network operator (MVNO) offering budget, pre-paid mobile plans. T-Mobile has proposed paying $1.3 billion to purchase the company. The company began notifying customers on December 22nd via emails titled "Important information regarding your account," stating that they suffered a security incident and a hacker obtained customer information. "We are writing to inform you about a security incident we recently identified in which an unauthorized actor obtained some limited types of customer information," warns the Mint Mobile data breach notification. "Our investigation indicates that certain information associated with your account was impacted." So what's the upshot for you? For 90% of the population that uses their phones for sms two factor authentication, having your health, personal, and financial information breached, is bearable, but once they get that and your phone data, stealing your identity gets waaaaaay easier. - click on the pic to hear the podcast - US/KP: To Stem North Korea's Missiles Program, White House Looks To Its Hackers https://www.politico.com/news/2023/12/21/north-korea-missiles-program-hackers-00132871 Convinced North Korea primarily sees hacking as a way to funnel money back to the cash-strapped Kim Jong Un regime, the White House has focused on blocking the country's ability to launder the cryptocurrency it steals through its cyberattacks. In the last year, the administration has unveiled a flurry of sanctions against North Korean hacking groups, front companies and IT workers, and blacklisted multiple cryptocurrency services they use to launder stolen funds. Earlier this month, national security adviser Jake Sullivan announced a new partnership with Japan and South Korea aimed at cracking down on Pyongyang's crypto bonanza -- thereby choking off money to its nuclear and conventional weapons programs. "In countering North Korean cyber operations, our first priority has been focusing on their crypto heists," Anne Neuberger, the National Security Council's top cybersecurity official, said in an interview. The stepped-up effort to blunt North Korea's cyber operations is fueled by growing alarm about where the fruits of those attacks are going, Neuberger said. Hacking, she argued, has enabled North Korea to "either evade sanctions or evade the steps the international community has taken to target their weapons proliferation ... their missile regime, and the growth in the number of launches we've seen." So what's the upshot for you? It's pretty amazing when a country can build a whole nuclear program off the back of hacking activities in what? 10 years? Global: ChatGPT Exploit Finds 24 Email Addresses, Amid Warnings of 'AI Silo' https://thehill.com/opinion/technology/4372206-for-microsoft-the-openai-tumult-is-heads-i-win-tails-you-lose/ The New York Times reports: Last month, I received an alarming email from someone I did not know: Rui Zhu, a Ph.D. candidate at Indiana University Bloomington. Mr. Zhu had my email address, he explained, because GPT-3.5 Turbo, one of the latest and most robust large language models (L.L.M.) from OpenAI, had delivered it to him. My contact information was included in a list of business and personal email addresses for more than 30 New York Times employees that a research team, including Mr. Zhu, had managed to extract from GPT-3.5 Turbo in the fall of this year. With some work, the team had been able to "bypass the model's restrictions on responding to privacy-related queries," Mr. Zhu wrote. My email address is not a secret. But the success of the researchers' experiment should ring alarm bells because it reveals the potential for ChatGPT, and generative A.I. tools like it, to reveal much more sensitive personal information with just a bit of tweaking. When you ask ChatGPT a question, it does not simply search the web to find the answer. Instead, it draws on what it has "learned" from reams of information — training data that was used to feed and develop the model — to generate one. L.L.M.s train on vast amounts of text, which may include personal information pulled from the Internet and other sources. That training data informs how the A.I. tool works, but it is not supposed to be recalled verbatim... In the example output they provided for Times employees, many of the personal email addresses were either off by a few characters or entirely wrong. But 80 percent of the work addresses the model returned were correct. The researchers used the API for accessing ChatGPT, the article notes, where "requests that would typically be denied in the ChatGPT interface were accepted..." So what's the upshot for you? "The vulnerability is particularly concerning because no one — apart from a limited number of OpenAI employees — really knows what lurks in ChatGPT's training-data memory." Global: If you got cash as a present for the holidays and are looking for a unique way to blow it..... https://not-just-memorization.github.io/extracting-training-data-from-chatgpt.html A team of researchers from Google and several US universities discovered an attack method targeting ChatGPT in November 2023. This unusual technique can extract around a gigabyte of ChatGPT’s training dataset from the model. The researchers prompted the model with the command to repeat a certain word, e.g. ‘poem’ forever, and sat back and watched as the model responded. ChatGPT would repeat the word for a while and start including parts of the exact data it had been trained on including email addresses and phone numbers. In the strongest configuration, over 5% of the output ChatGPT emitted was a direct verbatim 50-token-in-a-row copy from its training dataset. While LLMs should generate responses based on the training data, this training data itself is not meant to be made public. The researchers revealed they spent roughly $200 to extract several megabytes of training data using their method but believe they could have got approximately a gigabyte by spending more money. So what's the upshot for you? Who knows what a few hundred bucks more could have uncovered! US: Rite Aid Banned From Using Facial Recognition Software https://techcrunch.com/2023/12/20/rite-aid-facial-recognition/ Rite Aid, the U.S. drugstore giant, faces a five-year ban on using facial recognition software as the Federal Trade Commission (FTC) slams its "reckless use" that humiliated customers and risked their sensitive information. The FTC's order, pending approval from the U.S. Bankruptcy Court amid Rite Aid's Chapter 11 filing, demands the deletion of collected facial images and associated products. Rite Aid must establish a robust data security program. The FTC's scrutiny followed a 2020 Reuters report exposing the chain's secretive deployment of facial recognition systems, predominantly in lower-income, non-white neighborhoods, resulting in false accusations and privacy breaches. So what's the upshot for you? Rite Aid say they have removed the offending software. UK: UK Police To Be Able To Run Face Recognition Searches on 50 Million Driving Licence Holders https://www.theguardian.com/technology/2023/dec/20/police-to-be-able-to-run-face-recognition-searches-on-50m-driving-licence-holders The police will be able to run facial recognition searches on a database containing images of Britain's 50 million driving license holders under a law change being quietly introduced by the government. Should the police wish to put a name to an image collected on CCTV, or shared on social media, the legislation would provide them with the powers to search driving license records for a match. The move, contained in a single clause in a new criminal justice bill, could put every driver in the country in a permanent police lineup, according to privacy campaigners. Facial recognition searches match the biometric measurements of an identified photograph, such as that contained on driving licenses, to those of an image picked up elsewhere. The intention to allow the police or the National Crime Agency (NCA) to exploit the UK's driving licence records is not explicitly referenced in the bill or in its explanatory notes, raising criticism from leading academics that the government is "sneaking it under the radar." Once the criminal justice bill is enacted, the home secretary, James Cleverly, must establish "driver information regulations" to enable the searches, but he will need only to consult police bodies, according to the bill. So what's the upshot for you? What is going on in the UK? This must make every citizen uncomfortable one way or another. Global: Your Kid Prefers YouTube To Netflix. That's a Problem for Streamers. https://www.wsj.com/business/media/your-kid-prefers-youtube-to-netflix-thats-a-problem-for-streamers-86b132f8 Major streaming services test releasing children's content on YouTube and cut back on fare for kids. Netflix's share of U.S. streaming viewership by 2- to 11-year-olds fell to 21% in September from 25% two years earlier, according to Nielsen. Meanwhile, YouTube's share jumped to 33% from 29.4% over the same period. That reality is changing major streaming services' approach to children's entertainment, from what shows and movies they make to where they release them. Many are pulling back on investments in children's content, and some streamers have started content for young viewers on such platforms as Google-owned YouTube and Roblox. The eight largest U.S. streamers, including Netflix, Warner's Max and Amazon Prime Video, added 53 originals catering to children and families in the first half of the year, down from 135 for the first half of 2022, according to Ampere. That represents a decrease of 61%, compared with a 31% decrease in overall originals across these streamers for the same period. So what's the upshot for you? You only need to flick on the TV (terrestrial or streaming) over the holidays to see why kids (and adults) are being driven to other platforms. The ad breaks are so frequent now you'd be forgiven for thinking you were watching a show about cars with commercials featuring Leonardo Di Caprio on some boat sprinkled in. - click on the pic to hear the podcast - So to recap: If you missed getting that special someone that special gift, we had solid ideas this week: A concept rotating detonation jet engine that flies faster and farther and then the source code for Grand Theft Auto 5. Just think of the possibilities! We had Mint Mobile sharing your data with who know who this week, and the US Feds starting to worry about the application of AI in the use of all the PII that’s been getting loose about us. We have a silly example of a query run repeatedly against ChatGPT that eventually sees it yield its training data as output. We had Rite Aid slapped with a 5-year facial recognition software ban, just as the UK’s wonderfully named home secretary James Cleverly lays tracks for the UK integration of 5 million Driver’s licenses into their own facial recognition database. We ended this week with something so basic a child could figure it out. And did. Leaving television and streaming content producers on the back foot to catch up with YouTube. And our quote of the week — “You can get excited about the future. The past won’t mind.” — Hillary DePian That's it for this week. Stay safe, stay secure, all the best for a great 2024 and we'll see you in se7en! Oh, and we promise no more cats this year! The IT Privacy and Security Weekly update Gives Large for the week Ending December 19th. 202312/19/2023 Episode 170 Our first few stories present some unique gifting ideas. Who needs another Rolex when you can give “large”? - click the pic to hear the podcast - We get new breach reporting requirements from the US’ SEC and China’s MIIT. Wait, what is this, a competition? In that same vein we get something less than super from Mr. Cooper. After a court ruling that you cannot be forced to reveal your phone pin, there’s great news from Google about a change to your location data. And we finish up this update in front of a crackling fire. Quick, get the eggnog, we’ll go get a cat and let's settle in comfortably for this week's update! UK: Most original gift for 2023? Don't tell us, you finally found a present for that person who has everything. https://jalopnik.com/concorde-engine-finally-sold-on-ebay-afterburner-inclu-1851108481 Whether your holiday has passed or is still to come, we wonder, dear reader if this is you: A Rolls-Royce Olympus jet engine used to power the Concorde supersonic jet was listed on eBay for years before finally selling this past weekend for $714,500. The engine was owned and removed from a British Airways' Concorde plane that made its last flight 20 years ago. It cannot fly again but could be repurposed decoratively. The purchaser and plans for the 3.5 ton engine are unknown. However, it sold at a substantial discount from its $975,000 list price back in 2019. This particular engine still contained the Concorde's signature afterburner for added thrust capacity making it more unique. There is hope that this iconic piece of aviation history, rather than being dismantled for parts, can be preserved and displayed proudly in a museum setting much like the retired Concorde airframe it powered. - click the pic to hear the podcast - So what's the upshot for you? Happy Holidays and best wishes for a brilliant new year. And yes, we will remain on the edge of our seats in anticipation over 2024's "most original gift". - click the pic to hear the podcast - Global: Microsoft releases Phi-2, a small language model AI that outperforms Llama 2, Mistral 7B https://venturebeat.com/ai/microsoft-releases-phi-2-a-small-language-model-ai-that-outperforms-llama-2-mistral-7b/ Looking to try something different over the holiday break? Microsoft Research, the blue sky division of the software giant, announced the release of its Phi-2 small language model (SML), a text-to-text AI program that is "small enough to run on a laptop or mobile device," according to a post on X. At the same time, Phi-2 with its 2.7 billion parameters (connections between artificial neurons) boasts performance that is comparable to other, much larger models including Meta's Llama 2-7B with its 7 billion parameters and even Mistral-7B, another 7 billion parameter model. Microsoft researchers also noted in their blog post on the Phi-2 release that it outperforms Google's brand new Gemini Nano 2 model despite it having half a billion more parameters, and delivers less "toxicity" and bias in its responses than Llama 2. Microsoft also couldn't resist taking a little dig at Google's now much-criticized, staged demo video for Gemini in which it showed off how its forthcoming largest and most powerful new AI model, Gemini Ultra, was able to solve fairly complex physics problems and even correct students' mistakes on them. As it turned out, even though it is likely a fraction of the size of Gemini Ultra, Phi-2 also was able to correctly answer the question and correct the student using the same prompts. However, despite these encouraging findings, there is a big limitation with Phi-2, at least for the time being: it is licensed only for "research purposes only," not commercial usage, under a custom Microsoft Research License, which further states Phi-2 may only be used for "non-commercial, non-revenue generating, research purposes." But er, businesses looking to build products atop it are out of luck.... So what's the upshot for you? Children all over the world are putting in last minute updates to "Santa wish lists" for laptops with an Nvidia 4050 (or better) GPU chip in them. Thankfully Santa seems to be pretty tight with Jensen Huang (CEO of Nvidia). Global: Your Smart TV knows what you are watching. https://themarkup.org/privacy/2023/12/12/your-smart-tv-knows-what-youre-watching Did you get a new smart TV during the recent holiday sales? Well, there might be an uninvited guest joining your viewing parties. Most modern smart TVs employ Automatic Content Recognition (ACR), a sneaky ad surveillance tech that tracks your viewing habits for targeted ads. This software is often hidden, and opting out is not easy. Many consumers are completely oblivious to ACR's presence. Let's break down the tech first. ACR works like a constant background Shazam for your TV, identifying content through screenshots and comparing them to a massive database of media and ads. These TVs can capture up to 7,200 images per hour, powering content recommendations and a booming $18.6 billion smart TV ad industry. If you're not keen on having ACR snooping on your watchlist, you may be able to turn it off, depending on your TV's software. The process might take anywhere from 10 to 37 clicks and the article provides instructions for removing ACR on Roku, Samsung and LG devices. So what's the upshot for you? Third on the list after the unboxing of your new telly. First plug in the TV, put the batteries in the remote, and then turn off the ACR. Why do we advise this? Let's say you have your parents over and they watch a few days of classical movies and old reruns. That will feed the ad database and you may be served up hearing aid, insurance and prepaid funeral arrangement commercials for the foreseeable future. It's even worse when it's young parents as the selection moves to diapers and laundry detergent..... US: SEC disclosure rule for ‘material’ cybersecurity incidents in effect: 4 days to report https://cyberscoop.com/sec-cybersecurity-incidents-disclosure-rule/ US Publicly traded companies are now obliged to disclose "material" cybersecurity incidents to the U.S. Securities and Exchange Commission (SEC) following the implementation of a new rule on Monday. Critics argue that the disclosure time is too rapid and could pose national security risks. Some view it as duplicative of existing regulations, potentially increasing liability pressure on Chief Information Security Officers (CISOs). The SEC ruling mandates companies to report major hacks within four days and submit annual reports detailing their Cybersecurity management. Lawmakers and industry experts express worries about potential conflicts with existing regulations, particularly those from the Cybersecurity and Infrastructure Security Agency (CISA). Concerns also center around the possibility of disclosed information being exploited by malicious hackers for further attacks. So what's the upshot for you? CISOs are expressing concerns about heightened liability, potentially leading to increased demand for Directors & Officers insurance. We can only imagine the excitement in the insurance industry as yet another type of big ticket policy evolves. CN: China issues draft contingency plan for data security incidents: 10 minutes to report https://www.reuters.com/world/china/china-issues-draft-emergency-plan-data-security-incidents-2023-12-15/ China on Friday proposed a four-tier classification to help it respond to data security incidents, highlighting Beijing's concern with large-scale data leaks and hacking within its borders. The plan, which is currently soliciting opinions from the public, proposes a four-tier, colour-coded system depending on the degree of harm inflicted upon national security, a company's online and information network, or the running of the economy. According to the plan, incidents that involve losses surpassing 1 billion yuan ($141 million) and affect the personal information of over 100 million people, or the "sensitive" information of over 10 million people, will be classed as "especially grave," to which a red warning must be issued. So what's the upshot for you? The plan demands that in response to red and orange warnings, the involved companies and relevant local regulatory authorities must establish a 24-hour work rota to address the incident and Ministry of Industry and Information Technology (MIIT) must be notified of the data breach within ten minutes of the incident happening. Sounds like fun. US: Hack of Mortgage Lender Mr. Cooper leaks PII on 14.7 Million People https://www.pcmag.com/news/hack-of-mortgage-lender-mr-cooper-ensnares-147-million-people In an effort to report significant breaches, but keep them short, we present the Mr. Cooper Breach: In October Jay Bray, chairman and CEO of Mr. Cooper Group called it an “outage;” last month, it became a “cybersecurity incident;” now it’s a full-on Personally Identifiable Information (PII) leak. Mortgage company Mr. Cooper Group has confessed to losing the personal info of 14,690,284 people. So what's the upshot for you? That’s quite a feat for a firm with “only” 4.3 million customers. US: Why Google Will Stop Telling Law Enforcement Which Users Were Near a Crime https://finance.yahoo.com/news/google-stop-telling-law-enforcement-001953651.html Earlier this week Google Maps stopped storing user location histories in the cloud. But why? The company said Thursday that for users who have it enabled, location data will soon be saved directly on users' devices, blocking Google from being able to see it, and, by extension, blocking law enforcement from being able to demand that information from Google. "Your location information is personal," said Marlo McGriff, director of product for Google Maps, in the blog post. "We're committed to keeping it safe, private and in your control." The change comes three months after a Bloomberg Businessweek investigation that found police across the US were increasingly using warrants to obtain location and search data from Google, even for nonviolent cases, and even for people who had nothing to do with the crime. "It's well past time," said Jennifer Lynch, the general counsel at the Electronic Frontier Foundation, a San Francisco-based nonprofit that defends digital civil liberties. "We've been calling on Google to make these changes for years, and I think it's fantastic for Google users, because it means that they can take advantage of features like location history without having to fear that the police will get access to all of that data." Google said it would roll out the changes gradually through the next year on its own Android and Apple Inc.'s iOS mobile operating systems, and that users will receive a notification when the update comes to their account. The company won't be able to respond to new geofence warrants once the update is complete, including for people who choose to save encrypted backups of their location data to the cloud. So what's the upshot for you? There’s still another kind of warrant that privacy advocates are concerned about: reverse keyword search warrants, where police can ask a technology company to provide data on the people who have searched for a given term. “Search queries can be extremely sensitive, even if you’re just searching for an address,” Lynch said. - click the pic to hear the podcast - IS: Missing your Summer BBQ? https://livefromiceland.is/webcams/fagradalsfjall Livestream the volcanic eruption direct from Iceland instead. Apparently this is 10x more activity than the last volcanic eruption in Iceland So what's the upshot for you? Get it while it's hot. So to recap: Our first few stories present some unique gifting ideas. Who needs another Rolex when you can give “large” and what is larger and more in your face than a jet engine (with afterburner) out of a Concorde? Then we updated you on a cool new LLM from Microsoft that could be smarter than Google’s newly announced Gemini Nano and it runs on a laptop! We told you why you have been getting those diaper ads on your smart TV and where you can get the details to fix it for three of the most popular brands. We heard about new breach reporting requirements from the US’ SEC, of four days for US businesses while China’s MIIT color coded their breach reporting and might slap a 10 minute reporting requirement in place. Then US Mortage lender Mr. Cooper told us that with just over 4 million customers, they lost the PII of over 14 million. And after the Utah court decision that suspects can refuse to provide phone passcodes to police under the US Constitution's Fifth Amendment privilege against self-incrimination there’s great news from Google about a change to your location tracking data. And we ended up in front of a roaring fire with the cat. This week’s quote - People never believe in volcanoes until the lava actually overtakes them. George Santayana - philosopher, poet, and humanist That's it for this week. Stay safe, stay secure, happy holidays if you’re celebrating them this week, and we'll see you in se7en! |