Tagging along with the IT Privacy and Security Weekly Update for the Week Ending May 14th., 20245/14/2024 - right click on the pic for the podcast - Episode 189. Ever feel like you are being followed? This week we have both Apple and Google making efforts to quell that effect. We have leak updates from two sources that should be among the last to ever have to send out breach notices. One a computer manufacturer and the other a US Government agency. From there, its on to the latest craze in extortion and what you can do to secure against it. We get what we think could be an AI version of Mad Cow disease. The first round of Mad Cow was scary, but this one includes hallucinations. There’s the rushed US extension of section 702 of the Foreign Intelligence Surveillance Act (FISA). Wait what? What’s that? It’s an NSA undertaking that could effect almost anyone globally. And finally we get some insight into what happens when your company’s Cloud Service Provider (CSP) hiccoughs, and deletes all your company infrastructure. Could it be time for CSP specific Disaster recovery plans? This week’s updates might leave you feeling a little uncomfortable, but ...better the devil you know. - right click on the pic for the podcast - Global: Apple and Google Introduce Alerts for Unwanted Bluetooth Tracking https://datatracker.ietf.org/doc/draft-detecting-unwanted-location-trackers/01/ Apple and Google have launched a new industry standard called "Detecting Unwanted Location Trackers" to combat the misuse of Bluetooth trackers for stalking. Starting Monday, iPhone and Android users will receive alerts when an unknown Bluetooth device is detected moving with them. The move comes after numerous cases of trackers like Apple's AirTags being used for malicious purposes. Several Bluetooth tag companies have committed to making their future products compatible with the new standard. Apple and Google said they will continue collaborating with the Internet Engineering Task Force to further develop this technology and address the issue of unwanted tracking. So what's the upshot for you? This is good news, especially for those that have been tracked or had their cars stolen through various Airtag attachment techniques US: Leaks at Dell, and the US Patent Office https://techcrunch.com/2024/05/09/dell-discloses-data-breach-of-customers-physical-addresses/ https://techcrunch.com/2024/05/08/us-patent-and-trademark-office-confirms-another-leak-of-filers-address-data/ Technology giant Dell notified customers on Thursday that it experienced a data breach involving customers' names and physical addresses. In an email the computer maker wrote that it was investigating "an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell." Dell wrote that the information accessed in the breach included customer names, physical addresses, and "Dell hardware and order information, including service tag, item description, date of order and related warranty information." Initially the company downplayed the impact of the breach in the message. However, further data was exfiltrated through a different portal, with several reports seen by TechCrunch containing pictures apparently taken by customers and uploaded to Dell for seeking technical support. Some of these pictures contain metadata revealing the precise GPS coordinates of the location where the customer took the photos, according to a sample of the scraped data. Then in a separate data leak: The federal government agency responsible for granting patents and trademarks is alerting thousands of filers that their private addresses were exposed following a second data spill in as many years. The U.S. Patent and Trademark Office (USPTO) said in an email to affected trademark applicants this week that their private domicile address -- which can include their home address -- appeared in public records between August 23, 2023 and April 19, 2024. U.S. trademark law requires that applicants include a private address when filing their paperwork with the agency to prevent fraudulent trademark filings. USPTO said that while no addresses appeared in regular searches on the agency's website, about 14,000 applicants' private addresses were included in bulk datasets that USPTO publishes online to aid academic and economic research. The agency took blame for the incident, saying the addresses were "inadvertently exposed as we transitioned to a new IT system," according to the email to affected applicants. "Importantly, this incident was not the result of malicious activity," the email said. Upon discovery of the security lapse, the agency said it "blocked access to the impacted bulk data set, removed files, implemented a patch to fix the exposure, tested our solution, and re-enabled access." So what's the upshot for you? Companies and government agencies bear a huge responsibility when collecting personally identifiable informartion (PII). Collecting it is easy, keeping it safe is the hard work. Global: Ransomware Crooks Now SIM Swap Executives' Kids To Pressure Their Parents https://www.theregister.com/2024/05/07/ransomware_evolves_from_mere_extortion/ "We saw situations where threat actors essentially SIM swap the phones of children of executives, and start making phone calls to executives, from the phone numbers of their children," Charles Carmakal, Mandiant's CTO, recounted during a Google Security Threat Intelligence Panel at this year's RSA Conference in San Francisco last Monday. "Think about the psychological dilemma that the executive goes through – seeing a phone call from the children, picking up the phone and hearing that it's somebody else's voice? Sometimes, it's caller ID spoofing. Other times, we see demonstrated SIM swapping family members." Either way, it's horrifying. It's the next step in the evolution of ransomware tactics, which have now moved far beyond simply encrypting victims' files and even stealing their data. "There are a few threat actors that really have no rules of engagement in terms of how far [they] try to coerce victims," Carmakal noted, recalling ransomware incidents in which the criminals have directly contacted executives, their family members, and board members at their homes. The criminals have moved from just staging an attack against a company, its customers and their data, and becomes "more against the people," he added. It changes the calculation involved in deciding whether to pay the extortion demand, Carmakal said. "It's less about 'do I need to protect my customers?' But more about 'how do I better protect my employees and protect the families of employees?' That's a pretty scary shift." So what's the upshot for you? eSIMs may be a way to avoid this if your phone and service provider support them. They tie the Sim card number to the identity of the phone. If the phone is stolen you need a password to change the eSim. The downside is that if the simjacker can trick the mobile network provider into transferring information from one location to another, the SIM format actually makes no difference. - right click on the pic for the podcast - Global: Did OpenAI, Google and Meta 'Cut Corners' to Harvest AI Training Data? https://economictimes.indiatimes.com/tech/technology/how-tech-giants-cut-corners-to-harvest-data-for-ai/articleshow/109093168.cms When OpenAI ran out of English-language training data in 2021, they faced a challenge in further training their AI models. To address this, OpenAI created a speech recognition tool to transcribe audio from YouTube videos, despite concerns about violating YouTube's rules against using videos for independent applications. OpenAI's president, Greg Brockman, was reportedly involved in collecting over 1 million hours of YouTube video transcripts, which were then used to train their GPT-4 system. At Meta (owner of Facebook and Instagram), internal discussions revealed plans to potentially acquire Simon & Schuster to obtain long works for AI training. They also explored gathering copyrighted data from the internet, bypassing the need for time-consuming negotiations with publishers, artists, and news outlets. Similarly, Google transcribed YouTube videos to gather text for its AI models, potentially infringing on video creators' copyrights. Google's privacy team even expanded terms of service to access more online content, including Google Docs and restaurant reviews, for AI product development. Despite awareness of OpenAI's data harvesting by some Google employees, they did not intervene due to Google's own use of YouTube transcripts for AI training. Criticism of OpenAI's methods could have triggered scrutiny of Google's practices and potential copyright violations. Moreover, tech companies are now exploring "synthetic" data—generated by AI models themselves—to train their systems. This includes text, images, and code produced by AI, allowing systems to learn from their own generated content rather than relying solely on human-created data. So what's the upshot for you? Could this be a new form of AI mad cow disease? What is Mad cow disease? Bovine spongiform encephalopathy (BSE), widely referred to as “mad cow disease,” is a progressive and fatal disease of the nervous system in cattle. It results from infection by a "prion," an abnormal cellular protein found mostly in the brains of other cattle. BSE is not contagious. Cattle become infected by eating other cow brain, prion-contaminated feed. So, when AI gets fed other AI produced "feed", will we end up with a similar outcome? US: Secrecy Concerns Mount Over Spy Powers Targeting US Data Centers https://www.wired.com/story/section-702-ecsp-civil-liberties-letter/ https://www.cbsnews.com/news/biden-signs-bill-reauthorizing-fisa-surveillance-program-section-702/ Last month, President Biden signed a surveillance bill granting the NSA expanded authority to compel US businesses to assist in wiretapping international communications. Legal experts are uncertain about its precise limits, especially regarding which companies may be affected. Congress rushed to extend Section 702 of Foreign Intelligence Surveillance Act (FISA) in April, allowing the NSA to monitor certain international communications involving Americans. The government's efforts to redefine "electronic communications service providers" (ECSPs) could broaden the scope beyond tech giants like Microsoft and Google to include more businesses. Digital rights groups are urging officials to declassify details related to a court case that could shed light on the surveillance program's scope. The government's focus on data centers suggests they intend to target these facilities under the updated ECSP definition. Efforts are underway to clarify and potentially revise the bill's language amid concerns about expanded surveillance capabilities and their impact on global data flows and business competitiveness. So what's the upshot for you? Evidence that the NSA was secretly building a vast database of US telephone records – the who, the how, the when and the where of millions of mobile calls – was the first and arguably the most explosive of the Edward Snowden revelations back in 2013. Since then more detail about the rationale for data collection along with a reduction in amounts was put in place, but the latest extension seems to suggest a potential increase in both collection sources and sizes. AU: Google Cloud deleted a large customer’s infrastructure https://blocksandfiles.com/2024/05/14/google-cloud-unisuper/ An Australian superannuation fund manager, UniSuper, managing retirement savings for university staff, experienced a major service disruption due to an internal fault with its Google Cloud infrastructure. During a migration to Google Cloud VMware Engine, a misconfiguration triggered a software bug, leading to data loss and service interruptions lasting several days. UniSuper's infrastructure was duplicated across two Google Cloud regions as a safety measure, but both copies were affected by the same Google error, highlighting the virtual nature of this redundancy. The deletion of UniSuper's private cloud subscription resulted in the loss of critical services and data stored on over 1,900 virtual machines, databases, and applications. Despite having backups with another provider, UniSuper experienced data loss due to incomplete backup practices. So what's the upshot for you? This underscores the importance of disaster recovery (DR) plans tailored for Infrastructure-as-a-Service (IaaS) providers. Google Cloud has apologized and taken measures to prevent similar incidents. The situation raises questions about the response time and level of involvement from Google Cloud if UniSuper were a smaller organization. The incident emphasizes the need for all IaaS customers, including those on Google Cloud Platform (GCP), to prioritize robust disaster recovery planning to mitigate risks associated with cloud provider failures. So to recap: Ever feel like you’ve been followed? This week we had an update on work that both Apple and Google are engaged in that should mean Bluetooth tracking tags remain functional but not fearsome. We discovered data leaks: Dell through various support portals and the US Patent Office through bulk updates. The patent office has remediated their leak, but Dell may still be in discovery phase. We have to ask why this keeps happening. Where are the security reviews when sensitive data is exposed to external perimeters? Where are the pen tests and external access audits? From there, its on to the latest craze in extortion and what you can do to make it less likely with strong account protection measures in place. This includes a unique password, along with security recovery questions that can’t be guessed from browsing your online info. We get what we think could be an AI version of Mad Cow disease. AI ingesting AI created content. Do we end up with healthy results or something that is better avoided? Then there is the extension of the Foreign Intelligence Surveillance Act (FISA) section 702. The NSA initiative seems to be getting a quiet expansion to include more electronic service providers. Digital rights groups are fighting to get the specifics declassified. And finally we get some insight into what happens when your company’s Cloud Service Provider (CSP) hiccoughs, and a migration plan deletes your company infrastructure. Since you never know what issues you might hit by just doing backups, a cloud service provider specific recovery process may be the best means of protection. Our quote of the week – "Someone always has tagged you from your past. I'd throw away the tags and keep going." - Maya Angelou That's it for this week. Stay safe, stay secure, throw away the tags, and we'll see you in se7en! Leave a Reply. |