The IT Privacy and Security Weekly Update fixes it for the week ending February 20th., 20242/20/2024 - click the pic to hear the podcast - Episode 179 - click the pic to hear the podcast - This week’s update is our most exciting yet:
Whatever it is, this update fixes it, so come join in the adventure! - click the pic to hear the podcast - Global: Wyze Says Camera Breach Let 13,000 Customers Briefly See Into Other People's Homes https://www.theverge.com/2024/2/19/24077233/wyze-security-camera-breach-13000-customers-events https://www.nytimes.com/wirecutter/blog/wyze-security-breach/ Wyze's problems with letting its security camera customers briefly see into other customer homes is a lot worse than we thought. Last week, co-founder David Crosby said that "so far" the company had identified 14 people who were able to briefly see into a stranger's property because they were shown an image from someone else's Wyze camera. Now we're being told that number of affected customers has ballooned to 13,000. The revelation came from an email sent to customers entitled "An Important Security Message from Wyze," in which the company copped to the breach and apologized, while also attempting to lay some of the blame on its web hosting provider AWS. The breach, however, occurred as Wyze was attempting to bring its cameras back online. Customers were reporting seeing mysterious images and video footage in their own Events tab. Wyze disabled access to the tab and launched its own investigation. So what's the upshot for you? How to securely remedy the ongoing security issues with your Wyze camera:
- click the pic to hear the podcast -
Global: LLM Agents can Autonomously Hack Websites https://arxiv.org/abs/2402.06664 A team of researchers from Cornell University have dropped a new paper that outlines some capabilities of Large Language Models that the world was probably hoping were not evidenced so rapidly: In recent years, large language models (LLMs) have become increasingly capable and can now interact with tools (i.e., call functions), read documents, and recursively call themselves. As a result, these LLMs can now function autonomously as agents. With the rise in capabilities of these agents, recent work has speculated on how LLM agents would affect cybersecurity. However, not much is known about the offensive capabilities of LLM agents. In this work, we show that LLM agents can autonomously hack websites, performing tasks as complex as blind database schema extraction and SQL injections without human feedback. Importantly, the agent does not need to know the vulnerability beforehand. This capability is uniquely enabled by frontier models that are highly capable of tool use and leveraging extended context. Namely, we show that GPT-4 is capable of such hacks, but existing open-source models are not. Finally, we show that GPT-4 is capable of autonomously finding vulnerabilities in websites in the wild. Our findings raise questions about the widespread deployment of LLMs. So what's the upshot for you? Given that these models can now be run on high end laptops, the need for faster, more efficient vulnerability remediation on our Internet facing devices becomes paramount. It's only a matter of time. US: AI monitoring employees for ‘thought crimes’ in apps like Slack and Zoom https://www.cnbc.com/2024/02/09/ai-might-be-reading-your-slack-teams-messages-using-tech-from-aware.html https://dataprivacylab.org/projects/identifiability/paper1.pdf Aware, an AI firm specializing in analyzing employee messages, said companies including Walmart, Delta, T-Mobile, Chevron, Nestle, AstraZeneca and Starbucks are using its technology. Aware said its data repository contains messages that represent about 20 billion individual interactions across more than 3 million employees. “A lot of this becomes thought crime,” Jutta Williams, co-founder of Humane Intelligence, said of AI employee surveillance technology in general. She added, “This is treating people like inventory in a way I’ve not seen.” A client can specify a “violent threats” policy, or any other category, using Aware’s technology and have the AI models monitor for violations in Slack, Microsoft Teams and Workplace by Meta The client could also couple that with rule-based flags for certain phrases, statements and more. If the AI found something that violated a company’s specified policies, it could provide the employee’s name to the client’s designated representative. This type of practice has been used for years within email communications. What’s new is the use of AI and its application across workplace messaging platforms such as Slack and Teams. Using the anonymized data in Aware’s analytics product, clients can see how employees of a certain age group or in a particular geography are responding to a new corporate policy or marketing campaign, according to Jeff Schumann, co-founder and CEO of the Columbus, Ohio-based startup. Aware clients using its analytics tool also have the power to add metadata to message tracking, such as employee age, location, division, tenure or job function. “What they’re saying is relying on a very outdated and, I would say, entirely debunked notion at this point that anonymization or aggregation is like a magic bullet through the privacy concern." Even if data is aggregated or anonymized, research suggests, it’s a flawed concept. A landmark study on data privacy using 1990 U.S. Census data showed that 87% of Americans could be identified solely by using ZIP code, birth date and gender. So what's the upshot for you? Now you have to stay on your toes so as not to be perceived as committing "Thought crimes". We see bright, chrome handcuffs in our future. CN: Gold Pickaxe' Android, iOS Malware Steals Your Face https://www.bleepingcomputer.com/news/security/new-gold-pickaxe-android-ios-malware-steals-your-face-for-fraud/ A new iOS and Android trojan named 'GoldPickaxe' employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. The new malware, spotted by Group-IB, is part of a malware suite developed by the Chinese threat group known as 'GoldFactory,' which is responsible for other malware strains such as 'GoldDigger', 'GoldDiggerPlus,' and 'GoldKefu.' Group-IB says its analysts observed attacks primarily targeting the Asia-Pacific region, mainly Thailand and Vietnam. However, the techniques employed could be effective globally, and there's a danger of them getting adopted by other malware strains. For iOS (iPhone) users, the threat actors initially directed targets to a TestFlight URL to install the malicious app, allowing them to bypass the normal security review process. When Apple removed the TestFlight app, the attackers switched to luring targets into downloading a malicious Mobile Device Management (MDM) profile that allows the threat actors to take control over devices. Once the trojan has been installed onto a mobile device in the form of a fake government app, it operates semi-autonomously, manipulating functions in the background, capturing the victim's face, intercepting incoming SMS, requesting ID documents, and proxying network traffic through the infected device using 'MicroSocks.' Group-IB says the Android version of the trojan performs more malicious activities than in iOS due to Apple's higher security restrictions. Also, on Android, the trojan uses over 20 different bogus apps as cover. For example, GoldPickaxe can also run commands on Android to access SMS, navigate the filesystem, perform clicks on the screen, upload the 100 most recent photos from the victim's album, download and install additional packages, and serve fake notifications. The use of the victims' faces for bank fraud is an assumption by Group-IB, also corroborated by the Thai police, based on the fact that many financial institutes added biometric checks last year for transactions above a certain amount. So what's the upshot for you? This is not malware you want on your phone. Always be vigilant as to what you are adding and if there is any hesitation, wipe and rebuild your phone, because once you lose your face, smiling becomes very difficult. US: DOJ Quietly Removed Russian Malware From Routers in US Homes and Businesses https://arstechnica.com/information-technology/2024/02/doj-turns-tables-on-russian-hackers-uses-their-malware-to-wipe-out-botnet/ More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the US Department of Justice (DoJ). That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password So what's the upshot for you? Malware said by the DOJ to be tied to the Chinese government was removed from Cisco and Netgear Small Office Home Office (SOHO) routers by the FBI last month in similar fashion US: Where will "Precision Agriculture" leave the farmers? https://www.nifa.usda.gov/grants/programs/precision-geospatial-sensor-technologies-programs/adoption-precision-agriculture https://fighttorepair.substack.com/p/precision-agriculture-has-its-cassandra Farming in the United States is undergoing a revolutionary change, akin to the shift brought by the Fordson (yes that Ford) tractor a century ago. Today, precision agriculture is at the forefront, employing technologies like internet-connected equipment and AI-driven sensors to redefine farming practices. From autonomous tractors to smart spraying systems, precision agriculture offers unprecedented efficiency and sustainability. However, smaller producers face challenges competing with larger counterparts who benefit from economies of scale. Moreover, the consolidation of agricultural technology raises concerns about cybersecurity risks and data ownership. While these technologies provide valuable insights, they also transfer control of essential farm data to corporate entities without farmers' full comprehension or compensation, turning farmers into little more than passive caretakers of automated equipment managed, controlled and accountable to distant corporate masters. This shift underscores a broader trend of farmers losing autonomy over their operations, potentially impacting their livelihoods. As precision agriculture advances, the balance between innovation and farmer empowerment becomes increasingly critical for the future of American agriculture. So what's the upshot for you? When you, in the name of greater efficiency, have your farm equipment mapping out your fields, performing precise watering, fertilizer and pesticide spraying and all that information is beamed right back to John Deere, it's only a matter of time before it's you standing in the way of progress. Global: Signal Finally Rolls Out Usernames, So You Can Keep Your Phone Number Private https://www.wired.com/story/signal-launches-usersnames-phone-number-privacy/ Signal, renowned for its end-to-end encrypted messaging, launches beta features to enhance phone number privacy. Users can now conceal their phone numbers and instead share usernames for communication, addressing a long-standing criticism of the app's design. Default settings hide phone numbers in profiles, with options to create unique usernames and control discoverability. These changes empower users in high-risk environments and offer greater privacy for all, says Signal's president, Meredith Whittaker. While the app still requires a phone number for registration, the update marks a significant step toward addressing privacy concerns among its millions of users. So what's the upshot for you? The worlds most secure messaging app now improves it's privacy Global: This Tiny Website Is Google's First Line of Defense in the Patent Wars https://www.tdcommons.org/ https://www.wired.com/story/google-tdcommons-dpub-patents-prior-art/ A trio of Google engineers recently came up with a futuristic way to help anyone who stumbles through presentations on video calls. They propose that when algorithms detect a speaker's pulse racing or "umms" lengthening, a generative AI bot that mimics their voice could simply take over. That cutting-edge idea wasn't revealed at a big company event or in an academic journal. Instead, it appeared in a 1,500-word post on a little-known, free website called TDCommons.org that Google has quietly owned and funded for nine years. Until WIRED received a link to an idea on TDCommons last year and got curious, Google had never spoken with the media about its website. Scrolling through TDCommons, you can read Google's latest ideas for coordinating smart home gadgets for better sleep, preserving privacy in mobile search results, and using AI to summarize a person's activities from their photo archives. And the submissions aren't exclusive to Google; about 150 organizations, including HP, Cisco, and Visa, also have posted inventions to the website. So what's the upshot for you? Working your way through tdcommons.org is an amazing adventure. - click the pic to hear the podcast - So to recap: This week’s update is our most exciting yet: You got driving lessons that help you fix security. As someone once said a long time ago “Fool me once, shame on you. Fool me twice Shame on me.” Wyze is the “security” camera company that is in the news for lack of or poor security more than any other. Follow our steps to secure your own Wyze cameras, but just don’t put the car through the side of the house doing it. AI that can discover vulnerabilities on it’s own to hack websites? Start working on your processes and procedures to put patches, updates and remediation in place immediately on release, because with AI checking up on your risk mitigation, you will be on a very short leash. Are thought crimes a thing right now? They will be if this Aware AI software sells into any more enterprises. Imagine having a blue Monday and just the tone of your Slack messages is enough to put you in front of HR. Remember a couple years ago when the worker had the upper hand? Those days are gone! The we told you about malware that will steal your face. Sure, you can laugh now but if the recent (Feb 6th.) story about the finance worker who wired $25 million on the orders of the deepfake CFO are anything to go by this is malware that will certainly remove the smile from your removed face. Then in the US we learned that US Department of Justice logged into any of our routers with the default admin account and password to remove malware. And gosh if they could only come back and do our Windows updates too…. Then we had the likes of John Deere, mapping out our farms, identifying what is growing where, the conditions, the success of weed and bug killers and fertilizers collecting the data over years, to a point where the farmer holds no secrets and is only in the way. Signal announced beta testing of its long awaited username feature, adding even more privacy to our favorite secure messaging app. And finally we took a stroll through Googles’ “Big ideas” website, created to reduce the friction of patents in technology, and offering a playground of brilliant innovation. Our quote of the week - “I like fixing things.” - Richard E. Grant That's it for this week. Stay safe, stay secure, remember to unmount the Wyze camera before you drive over it and we'll see you in se7en! - click the pic to hear the podcast - Leave a Reply. |