The Surprise of the IT Privacy and Security Weekly Update for the week ending August 8th. 20238/8/2023 This week surprisingly starts with a couple of building maintenance callouts: one for a flashing X on the roof and the other for a rat in the kitchen. We then feel the jolt of new, shorter breach reporting requirements and solve the mystery of what happened to your air miles. Google confounds us with a little more control over everything it is collecting on us, while White Castle may be considering racing lanes for its drive-through with its latest AI announcement. We have every spy across the planet weighing in on what was line-of-sight for hackers during 2022, and an astonishingly easy fix for you to do now. And we end with a cracking update from low Earth orbit. You’re going to love this, so circle the world with us in our most awesome update yet! US: You have to see it to believe it https://twitter.com/itsmefrenchy123/status/1685177000913502209 By now you know that Twitter was rebranded to X, that Elon put a strobe-lit X on top of the Twitter building, that it was ordered removed within two days, and that the landlord was fined $4,447 over the illegal sign. The thing you really don't get from our .gif is why that order was put in place until you see what the ultra-bright strobe lights were doing for the residential apartment building across the street. We are glad we didn't have to try sleeping through that. So what's the upshot for you? An X-cellent way to create awareness, but perhaps not for making any more friends. --Click on the X to find the podcast-- CN: Multiple Chinese APTs establish major beachheads inside sensitive infrastructure https://arstechnica.com/security/2023/08/multiple-chinese-apts-establish-major-beachheads-inside-us-infrastructure/ Hacking teams working for the Chinese government are intent on burrowing into the farthest reaches of sensitive infrastructure, much of it belonging to the US, and establishing permanent presences there if possible. In the past two years, they have scored some wins that could seriously threaten national security. If that wasn’t clear before, three reports released in the past week make it abundantly so. In one published by security firm Kaspersky, researchers detailed a suite of advanced spying tools used over the past two years by one group to establish a “permanent channel for data exfiltration” inside industrial infrastructure. A second report published Sunday by The New York Times said that a different group working for the Chinese government had hidden malware that could cause disruptions deep inside the critical infrastructure used by US military bases around the world. Those reports came nine days after Microsoft revealed a breach of email accounts belonging to 25 of its cloud customers, including the Departments of State and Commerce. The operations appear to be coming from separate departments inside the Chinese government and targeting different parts of US and European infrastructure. The first group, tracked under the name Zirconium, is out to steal data from the targets it infects. A different group, known as Volt Typhoon, according to the NYT, aims to gain the long-term ability to cause disruptions inside US bases, possibly for use in the event of an armed conflict. In both cases, the groups are endeavoring to create permanent beachheads where they can surreptitiously set up shop. So what's the upshot for you? There's a rat in the kitchen. --Click on the rat to find the podcast-- U.S.: Public companies must now disclose breaches within 4 days https://www.malwarebytes.com/blog/news/2023/08/public-companies-must-now-disclose-breaches-within-4-days Public organizations in the US impacted by a cyberattack will now have to disclose it within four days...with some caveats attached. On Wednesday, new rules were approved by the US Securities and Exchange Commission (SEC). These rules mean that publicly traded companies will need to reveal said attack details in cases where it had a “material impact” on their finances. Disclosures of a breach can be held off in cases where the US Attorney General decides that such an action would pose a risk to national security or public safety. Otherwise, the new rules regarding the four-day time limit will apply: That’s not all. Registrants will also have to describe their processes for “assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents”. Both management and the board of directors will also have to explain their oversight of potential risks and threats, all required in the organization’s annual report. This all sounds like a good idea. However, some folks believe it may help people doing the attacking more than it potentially hinders them. SEC commissioner Hester Pierce, who voted against the new rules, is not impressed. He believes the new rules could end up providing attackers with a kind of road map of potential targets. New filings will continually give them updates on how the company is coping with their attack. They could then plan new strategies or other groups watching the chaos unfold could swoop in to cause more problems for the victim. So what's the upshot for you? HPierce has a point, but this is a start, the correct balance will come over time. Global: Google makes collected data more accessible to you https://blog.google/products/search/new-privacy-tools/ https://www.theverge.com/2023/8/3/23817797/google-contact-info-removal-search-results https://myactivity.google.com/results-about-you Google released a new tool for users to manage their contact information visibility in Google searches. The "Results About You" tool has been updated to include a dashboard that alerts users when their contact information is found in Google searches. Users can delete or request the removal of personal information like email, home address, or phone number. The dashboard feature is currently being rolled out to users in the United States. Google has also introduced updated policies for the removal of nonconsensual explicit images. While the tools won't completely remove a user from Google searches, they will make personal information less accessible. Users without a Google account can use a stand-alone removal form to make removal requests. Google provides email notifications to track the status of removal requests. So what's the upshot for you? We think that removing your data from searches is still a little more involved than most people are willing to accept. US: Instead of profiling just anyone, profile the ones with the guns. https://venturebeat.com/ai/zeroeyes-uses-ai-and-security-cameras-to-detect-guns-in-public-and-private-spaces/ AI has been used a lot for face detection around the world in our surveillance society. But ZeroEyes believes it can detect immediate threats by using AI to detect guns. ZeroEyes has been rolling out the gun detection video analytics service since 2022. It combines the automated detection of gun-like objects with video analysis by human experts before it sends an emergency message to the place where a shooter might be present — before shootings take place. ZeroEyes pioneered the field of AI-based visual gun detection after finding through research that, in the majority of mass shootings, the shooter reveals their gun well ahead of the incident. In fact, research suggests that 70% to 80% percent of active shooter events involved a weapon that was visible as much as 30 minutes before the first shot was fired. For example, in the Parkland shooting, the shooter went into the stairwell and sat there for minutes with his gun fully visible, getting mentally prepared. In the 2012 movie theater shooting in Aurora, Colorado, the shooter got suited up in the parking lot beforehand So what's the upshot for you? Gun matches picked up by the AI on the cameras are forwarded to ZeroEyes staff of primarily military and law enforcement veterans, often those who served in special forces units. They have been specially trained in previous lines of work to understand and identify guns, as well as remain calm and collected during stressful situations. This is the type of expertise and background required to ensure each alert is thoroughly examined within seconds. US: White Castle adds another AI partner to its drive-through service https://www.theverge.com/2023/8/2/23817406/white-castle-soundhound-ai-sliders Two weeks ago we flagged White Castle for plugging into a license (registration) plate reading AI service that many police use for identifying criminal behavior. White Castle and McDonald's are interested in the tech to read your plates and pull up what your typical order might be. Now White Castle will be coupling that with SoundHound's AI-enabled voices at over 100 drive-thrus by 2024 in the hope that people can get their sliders faster with maybe less arguing with someone over speakers. With some testing already under their belt, the rollout will start shortly although the locations are still under wraps. So what's the upshot for you? It will be interesting to see whether AI-powered drive-thrus are faster and how much the AI can block out crying kids and drunk friends in the backseat. Global: FBI, CISA, and NSA reveal top exploited vulnerabilities of 2022 https://www.bleepingcomputer.com/news/security/fbi-cisa-and-nsa-reveal-top-exploited-vulnerabilities-of-2022/ Five Eyes cybersecurity authorities (CISA, NSA, FBI) released a list of 12 most exploited vulnerabilities in collaboration. Threat actors shifted focus to exploiting outdated software vulnerabilities in 2022, targeting unpatched systems. Neal Ziring from NSA's Cybersecurity Directorate warned about organizations using unpatched software, creating opportunities for cyber attacks. Older vulnerabilities offer cost-effective ways for threat actors to access sensitive data. So what's the upshot for you? Moral of the story: Keep your patching up to date.... for operating systems, applications, services, and edge devices. Global: "What happened to my AirMiles?" https://www.wired.com/story/points-travel-rewards-platform-flaws/ Travel rewards programs from airlines and hotels offer exclusive benefits to members but did you know that Delta SkyMiles, United MileagePlus, Virgin Red, Hilton Honors, and Marriott Bonvoy, use the same digital infrastructure. The backend is provided by Points, a loyalty commerce company, with an API for various services. Security researchers discovered vulnerabilities that could expose customer data, steal loyalty currency (e.g., miles), or compromise administration accounts. One vulnerability allowed traversal within Points API to access customer order records (22 million orders) containing sensitive data. Limits on responses prevented attackers from dumping all data, but specific targets could be identified or data slowly siphoned. The API configuration issue potentially allowed an attacker to generate an account authorization token for any user with just their last name and rewards number. These two pieces of data could be found through past breaches or could be taken by exploiting the first vulnerability. With this token, attackers could take over customer accounts and transfer miles or other rewards points to themselves, draining the victim's accounts. A significant flaw existed in Points.com's global admin site, where an easily guessable secret ("secret") encrypted user cookies. Guessing the secret allowed decryption, granting god-mode-like access to Points reward systems and granting unlimited benefits. So what's the upshot for you? These have all been reported and now fixed, but if you are or were a points collector, you might want to do a quick check on your balance. Global: Microsoft Comes Under Blistering Criticism For 'Grossly Irresponsible' Security https://arstechnica.com/security/2023/08/microsoft-cloud-security-blasted-for-its-culture-of-toxic-obfuscation/ Microsoft is facing intense backlash for the security vulnerabilities within its Azure cloud services and other offerings. Amit Yoran, CEO of security firm Tenable, lashed out, describing Microsoft as "grossly irresponsible" and entrenched in a "culture of toxic obfuscation." This criticism follows Senator Ron Wyden's condemnation of Microsoft's "negligent cybersecurity practices," which facilitated a cyberattack by Chinese government-backed hackers, resulting in the theft of countless emails from cloud customers, including US State and Commerce Department officials. Microsoft's lack of transparency regarding the breach, which involved the hackers obtaining a potent encryption key granting access to multiple cloud services, has only fueled the controversy. Amit Yoran took to LinkedIn to chastise Microsoft for failing to adequately address a "critical" security issue. This vulnerability allows unauthorized access to data and apps managed by Azure AD, Microsoft's cloud service for user authentication in large organizations. Despite being informed of the problem in March, Microsoft's fix, initially declared as complete, was later revealed by Tenable researchers to be insufficient. The situation escalated when Yoran disclosed that his team rapidly discovered bank authentication secrets, underscoring the gravity of the security lapse. In a counter-response, Microsoft expressed appreciation for responsible disclosure but maintained that developing security updates required a balance between timeliness, quality, and customer protection. So what's the upshot for you? The ongoing dispute raises questions about Microsoft's commitment to cloud security and transparency. As accusations of a "black box" approach persist, industry observers await further developments, wondering if this controversy will force Microsoft to rethink its security strategy and communication practices. PL: Spyware Maker LetMeSpy Shuts Down After Hacker Deletes Server Data https://techcrunch.com/2023/08/05/letmespy-spyware-shuts-down-wiped-server/ Poland-based spyware LetMeSpy has announced its permanent shutdown following a severe data breach in June. The breach resulted in the deletion of the spyware's servers, erasing a significant volume of data stolen from thousands of victims' smartphones. The spyware's website no longer functions, blocking users from logging in or creating new accounts. Analysis conducted by TechCrunch reveals that LetMeSpy's app is non-functional, confirming the cessation of its operations. LetMeSpy was a surreptitious Android phone monitoring app deliberately designed to remain hidden on victims' phone screens, making detection and removal difficult. The app, often planted on phones with prior knowledge of the passcode, illicitly collected messages, call logs, and real-time location data. Nonprofit transparency collective DDoSecrets obtained a copy of LetMeSpy's database, which was shared with TechCrunch for analysis. The data indicated that the spyware had compromised over 13,000 Android devices globally. The breached database also revealed that the spyware was developed by Krakow-based tech company Radeal, whose CEO, Rafal Lidwin, has yet to respond to inquiries. So what's the upshot for you? This is a hard fall for a software firm that not too many will miss. US: Zoom Contradicts Its Own Policy About Training AI on Your Data https://gizmodo.com/zoom-ai-privacy-policy-train-on-your-data-1850712655 Zoom updated its Terms of Service in March, spelling out that the company reserves the right to train AI on user data with no mention of a way to opt-out. On Monday, the company said in a blog post that there's no need to worry about that. Zoom execs swear the company won't actually train its AI on your video calls even though the Terms of Service still say it can. The company's legal documents call your video, audio, and chat transcripts "Customer Content." When you click through Zoom's terms, you agree to give Zoom "perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license and all other rights" to use that Customer Content for "machine learning, artificial intelligence, training, testing," and a variety of other product development purposes. The company reserves similar rights for "Service Generated Data," which includes telemetry data, product usage data, diagnostic data, and other information it gets from analyzing your content and behavior. So what's the upshot for you? We laughed at a news story this morning that Zoom was calling all employees back to the office. Apparently, they feel that remote work is the reason they have fallen behind in innovations over the last couple of years. De/LEo: Satellites are Easier to hack than a Windows PC https://cybernews.com/security/satellites-hacking-easier-windows-interview/ In a recent study from Ruhr University Bochum, experts shed light on a startling vulnerability in satellite communications, raising concerns about potential cyberattacks. Unlike modern operating systems equipped with robust defenses, satellites lack fundamental security measures, leaving them exposed to exploitation. Researchers highlighted the absence of protective mechanisms against memory corruption vulnerabilities, commonly found in everyday devices and operating systems. The paper underscored that even security measures from the early 2000s, present in modern OS, were missing in satellite systems. Complicating matters further, the unforgiving space environment poses unique challenges, from the intricate implementation of cryptography to safeguarding assets against radiation-induced memory degradation. As satellites become more affordable and accessible, the notion of relying on security through obscurity is fading. The study emphasized the importance of transparent security practices and collaboration with researchers, enabling the identification of vulnerabilities and the improvement of satellite systems. While no public incidents have been reported yet, experts cautioned that it's not a matter of if but when such vulnerabilities will be exploited. Ultimately, If you were open about your system and showed researchers what the system looks like, people would come to show how things could be done better. So what's the upshot for you? The emerging narrative parallels other technology domains like mobile communications, where initially believed security-by-obscurity tactics proved insufficient. As satellite technology democratizes, the imperative for robust security measures becomes more pressing, with researchers urging the industry to proactively address vulnerabilities and fortify space-based infrastructure. Until then we are off to AWS' "Groundstation as a Service" to see what we can find. And our quote of the week - People only really learn when they’re surprised. If they’re not surprised, then what you told them just fits in with what they already know. No minds were changed. No new perspective. Just more information. So my main advice to anyone preparing to give a talk on stage is to cut out everything from your talk that’s not surprising. - Derek Sivers --Click on the rat to find the podcast-- That’s it for this week. Stay safe, stay secure, stay surprised, and see you in Se7en!
UB40
8/8/2023 08:35:49 pm
There's a rat in mi kitchen what I'm a gonna do?
Reply
Leave a Reply. |