Pete Recommends – Weekly highlights on cyber security issues, September 14, 2024

Subject: Google sued over AI-driven tool for customer service call review
Source: Android Headlines
https://www.androidheadlines.com/2024/09/google-sued-over-ai-driven-tool-for-customer-service-call-review.html

By now, it’s no secret that Google is fully committed to AI. The company has integrated the power of LLMs into multiple apps and services. One of those is a platform that helps other companies streamline customer service tasks by analyzing calls. That said, an individual filed a lawsuit against Google for listening to his calls with a Home Depot agent. Recently, Google’s name appeared in another potential conversation-listening case.Individual files lawsuit against Google for call listening using AI tools

AI makes it possible to automate multiple processes and facilitate others. Regarding calls, we have seen that it is capable of generating summaries with key points, or even suggesting potential replies. These types of capabilities are especially useful for customer service agents. With that in mind, Google developed the Contact Center AI (CCAI) platform. Any external company can turn to CCAI if it wants to enhance the performance of its customer service agents. CCAI can help offer faster responses or better understand customer requirements.

That said, it seems that some people aren’t particularly comfortable with an “entity” listening to their calls.

Listening was happening in real-time

Call-analysis platforms for customer service are not new. Even before AI, these platforms existed, but they relied on humans and recorded calls. However, some may find the feeling of an AI listening to them in real-time intimidating.

Filed: https://www.androidheadlines.com/category/tech-news

Subject: AI songs, bots, created to defraud music streams of millions, says government
Source: NewsNation via NXSTTV
https://www.nxsttv.com/nmw/news/ai-music-producer-accused-of-bilking-music-streamers-for-millions/

  • Justice Department says man created thousands of AI songs
  • Bots would continually stream the songs, generating royalties
  • Streaming companies allegedly defrauded of $10 million

(NewsNation) — A North Carolina man has been charged with defrauding music streaming services to the tune of $10 million in royalty payments for using artificial intelligence to not only make music but to “listen” to those songs.

Michael Smith, 52, “played upon the integrity of the music industry by a concerted attempt to circumvent the streaming platforms’ policies,” said FBI Acting Assistant Director Christie M. Curtis.

Music streaming platforms such as Spotify, Amazon Music and Apple Music pay royalties to composers, musicians and those who hold the rights to songs. The payments are based on how many times the songs are streamed by people around the world.

Smith then allegedly expanded the scheme on the assumption that a billion fake streams of tens of thousands of songs would be more difficult to detect since each song was being streamed fewer times.

Filed: https://www.newsnationnow.com/crime/

Subject: Phishing Attack Takes a Two-Step Approach to Leverage Legitimate Sites and Evade Detection
Source: KnowBe4
https://blog.knowbe4.com/phishing-attack-takes-a-two-step-approach-to-leverage-legitimate-sites-and-evade-detection

[infomercial of interest … ]

Analysis of a new phishing attack demonstrates how attackers may take a longer path to reach their malicious goals while staying “under the radar” of security products.

It would be pretty simple to create a phishing attack that sends its’ victims a brand-impersonated email with a link that takes you to an impersonated webpage that asks for credentials, personal details or credit card information.

But many of today’s security products will detect the impersonation immediately. So, if you’re a cybercriminal developing a cunning phishing scam, you need to find ways to avoid being detected – even if it means adding a few unnecessary steps.

And that’s exactly what we find in security vendor Perception Point’s latest analysis of a phishing attack that uses Microsoft Office Forms as an intermediate step in their phishing scam.  According to the analysis, the phishing email impersonates a well-known brand (such as Microsoft 365 below) with the first step being the clicking of a link within the email that points to an Office form.

Subject: U.S. releases new export controls on chips, quantum computing
Source: Quartz
https://qz.com/us-release-export-controls-chips-ai-quantum-computing-1851641981

The Biden administration announced new export controls on critical technologies, including semiconductors and quantum computersThe U.S. has released its latest set of export controls on critical technologies as it steps up its efforts to curb China’s technological advances.

The new export controls cover quantum computing, aerospace technology, and semiconductors, which “warrant export controls because of national security concerns,” the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) said. The rules, which were released Friday and don’t explicitly name certain countries, “are the product of extensive discussions with international partners,” and are being adopted as military applications enabled by critical technologies “emerge and evolve,” said BIS.

Meanwhile, the Dutch government announced it is expanding export control measures related to advanced semiconductor manufacturing equipment, specifically deep ultraviolet lithography equipment, which is manufactured by Netherlands-based ASML. The change announced Friday gives the Dutch government control over ASML’s exports of its machines to other countries, which the U.S. had done.

Filed: https://qz.com/business-news/generation-ai

Subject: Reolink’s battery-powered security camera can record for days without subscription fees
Source: The Verge
https://www.theverge.com/2024/9/6/24235858/reolink-atlas-pt-ultra-security-camera-battery-smart-home-doorbell

Reolink’s new Altas PT Ultra is the company’s first battery-powered security camera that is capable of all-day continuous recording. It doesn’t need power access, so it can be installed almost anywhere, and since it captures 4K video to a microSD card instead of the cloud, there are fewer security risks and no subscription fees. There are already many battery-powered security cameras that streamline installation, but they’re limited by small batteries that can’t record for more than a day before needing a charge. Reolink’s Altas PT Ultra’s solution to that problem is a built-in 20,000mAh battery the company says has enough power to record for 12 hours per day for up to eight days or four days when recording nonstop around the clock.

Having to charge the camera every week does negate some of the convenience of it being battery-powered, but through desktop and mobile apps, the Altas PT Ultra can be programmed to only capture video when motion is detected by its passive infrared sensor, or on a specific schedule, to extend its battery life. When set to its “standard working mode,” Reolink says the camera can run for up to 16 months on a single charge….

Subject: New RAMBO attack steals data using RAM in air-gapped computers
Source:  Bleeping Computer
https://www.bleepingcomputer.com/news/security/new-rambo-attack-steals-data-using-ram-in-air-gapped-computers/

A novel side-channel attack dubbed  “RAMBO” (Radiation of Air-gapped Memory Bus for Offense) generates electromagnetic radiation from a device’s RAM to send data from air-gapped computers.Air-gapped systems, typically used in mission-critical environments with exceptionally high-security requirements, such as governments, weapon systems, and nuclear power stations, are isolated from the public internet and other networks to prevent malware infections and data theft.

Although these systems are not connected to a broader network, they can still be infected by rogue employees introducing malware through physical media (USB drives) or sophisticated supply chain attacks carried out by state actors.

The malware can operate stealthily to modulate the air-gapped system’s RAM components in a way that allows the transfer of secrets from the computer to a recipient nearby.

The latest method that falls into this category of attacks comes from Israeli university researchers led by Mordechai Guri, an experienced expert in covert attack channels who previously developed methods to leak data using network card LEDs, USB drive RF signals, SATA cables, and power supplies.

How the RAMBO attack works – To conduct the Rambo attack, an attacker plants malware on the air-gapped computer to collect sensitive data and prepare it for transmission. It transmits the data by manipulating memory access patterns (read/write operations on the memory bus) to generate controlled electromagnetic emissions from the device’s RAM.

Stopping RAMBO – The technical paper published on Arxiv provides several mitigation recommendations to mitigate the RAMBO attack and similar electromagnetic-based covert channel attacks, but they all introduce various overheads.

Tagged:

Filed: https://www.bleepingcomputer.com/news/security/

Subject: Kremlin’s VPN Crackdown to Cost Estimated $646 Million
Source: tech.co
https://tech.co/news/kremlins-vpn-crackdown-cost

Since the war in Ukraine began, the Kremlin has made a concerted effort to limit public access to outside information. In response, Russians have become increasingly creative in finding ways to outfox the government’s strict anti-internet laws, with one outcome being a surge in VPN usage.This hasn’t set well with the country’s communication regulators, Roskomnadzor, who are now ramping up efforts to stop the free flow of information into and out of Russia for good.

To this end, the government is pledging an eye-watering $646 million on tightening controls. Here’s how they plan to implement these measures.

Russia’s Internet Restrictions – To better understand the wholescale attack on the country’s communications outlets, a little context is necessary.

Tags

Subject: This Tool Finds Matching Usernames Across 400 Social Media Networks
Source: Lifehacker
https://www.bespacific.com/this-tool-finds-matching-usernames-across-400-social-media-networks/

Lifehacker: “Want to check if a particular internet handle you encountered online (or created yourself) is being used on any other social networks or websites? Sherlock is a free command line application that scans around 400 social networks and finds accounts that match whatever username you type in. Using this service couldn’t be simpler: Just open it up and type “sherlock” followed by the username your want to search for. The program will check every site it can access and tell you where accounts matching your username exist, complete with a link to the relevant profile page. This is useful in two ways: finding people across multiple websites, and checking whether a username you’re thinking of using is already taken on other sites.”


Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.
Subject: The biggest cyber attacks of 2024
Source: BCS
https://www.bcs.org/articles-opinion-and-research/the-biggest-cyber-attacks-of-2024/?_hsmi=324128536

[h/t Sabrina] cyber threat landscape in 2023 showed that criminals are relentlessly innovative. Criminals evolved and this demanded constant vigilance and adaptation by cyber security practitioners….

Our aim, as ever, was to uncover who got hacked, to understand how and to share any lessons that could be learned.
During 2024, we plan to do the same — so bookmark this page and please keep checking in.

Cybersecurity in 2024 – When the World Economic Forum publishes a list of ‘trends’ in cyber threats it is a sure sign that the impact of attacks and breaches on the overall economy is significant. At the beginning of each calendar year it is traditional to reflect on, and tally-up from the previous year, emerging trends in cyber attacks. It is good to understand the Tools, Techniques and Procedures (TTP) of the adversaries we face. It is also good to spot any new methods or any shift in targets, the better to be prepared for the coming year.

To help with this many top security companies, with customers across the globe, publish their own reports on such trends in attack modes and targets. One report that is always eagerly anticipated is from IBM. Their X-Force Threat Intelligence Index 2024 identifies trends in all these vital areas, based on data from 2023.

Picking out some highlights, as the report runs to a hefty 64 pages, the methods for Initial Access are shifting. The use of legitimate credentials is now top of the list, with phishing knocked off the top spot from last year into second. Third place goes to internet facing applications with exploitable weaknesses. This trend is a sign that detection and prevention methods within the security framework are having some success. Breaking in to most corporate networks is very difficult without some form of legitimate ‘foothold’. Another observation from IBM’s team is a possible shift in emphasis for some ransomware groups: rather than encrypting and ‘ransoming’ a companies data they prefer to simply steal it. There has been a 266% increase in the use of infostealer software such as Rhadamanthys, LummaC2 and StrelaStealer.

Two other significant takeaways from the report are that 84% of attacks on critical infrastructure (energy, telecoms, water etc.) gained initial access through preventable weaknesses and that attacks in Europe increased by 31% year on year. Regarding the critical infrastructure attacks the report concludes that better asset and patch management, along with credential hardening and using the principle of least privilege, could have prevented these attacks.

There was at least one positive in the report. They concluded that ransomware gangs were taking longer to elevate privileges within Active Directory controlled domains than previously. This is the equivalent of ‘shows some improvement, could do better’ on your school homework. As a final ‘food for thought’ from this report comes the news that Europe accounted for 31% of IBM’s X-Force team’s incidents that they responded to and within that the UK was the primary target.

Filed; https://www.bcs.org/articles-opinion-and-research/security-data-privacy

Subject: Why digital identity should be a priority for the next president
Source: Nextgov/FCW
https://www.nextgov.com/digital-government/2024/09/why-digital-identity-should-be-priority-next-president/399458/

MITRE called for greater attention to identity issues after a series of workshops held with stakeholders about the importance of White House leadership.Stakeholders inside and outside of government hope that the next administration will make digital identity a policy priority, and they have a new series of transition papers with recommendations for that administration, which MITRE released Thursday.

Based on a series of workshops at the government’s annual identity event, held this year in June, the papers offer a glimpse into the wishlist of the federal employees, vendors, academics and other stakeholders who work on digital identity.

“There’s a limited amount of things that an administration can work on. It’s up to them to pick their priorities, and this hasn’t been one of their top priorities” in the Biden administration or the Trump administration, said Duane Blackburn, deputy director of MITRE’s Center for Data Driven Policy who previously worked on identity issues for years in government. “It’s been on the radar but hasn’t been one of their top priorities.”

One of the first things to focus on, said Blackburn, who co-chairs the FedID planning committee, is “this need for a coordinated approach to digital identity. Not just in government, but in the government and private sector.”

The MITRE papers call for a modernized national privacy framework, as it’s difficult to work in such an outdated system, said Blackburn.

Other recommendations include public education on identity theft and a strategy to support victims of identity theft. Congress should also pass legislation on the problem, the papers note, and in the federal government, agencies need senior leadership for the issue as well as a coordinated approach.

Agencies with important parts of the identity puzzle, such as Social Security numbers, could validate those attributes for third parties. One recommendation is for the Social Security Administration itself to play a larger role in the identity game, providing digital IDs for citizens.

Topic: https://www.nextgov.com/topic/id-management/

Subject: Google, TSA Testing New “ID Pass” in Wallet, Created by Scanning Passport
Source: Phone Scoop
https://www.phonescoop.com/articles/article.php?a=23354&utm_source=dlvr.it&utm_medium=mastodon

Google will soon start beta testing a new type of digital ID in Google Wallet. This “ID Pass” serves the same function as a digital driver’s license (mID) at TSA airport security checkpoints and potentially other places where you need to verify your identity. In this case, it’s created by scanning your passport (the photo page and chip) with your phone, then scanning your face to confirm it’s you. This creates an “ID Pass” that will be accepted at TSA checkpoints that already take mID. The TSA has a web site that lets you check which airports accept digital IDs before you travel. Importantly, an ID Pass is not a digital passport, and Google still recommends carrying a physical ID. Google also shared that Iowa, New Mexico, and Ohio will be the next US states to enable mID in Google Wallet.+ pic

Subject: With Eye on Fraud Crackdown, Mastercard Makes $2.65B Bid
Source: AP via Newser
https://www.newser.com/story/356149/mastercard-makes-265b-bid-aimed-at-crackdown-on-fraud.html

Mastercard is buying global threat intelligence company Recorded Future for $2.65 billion to strengthen its cybersecurity services. The card issuer has been attempting to enhance fraud protections for customers and in May it rolled out a software update that integrated artificial intelligence into its fraud-prediction technology. The company believes it will help it to see patterns in stolen cards faster and allow banks to react more quickly, reports the AP….

LinkedIn
Posted in: AI, Cybercrime, Cybersecurity, Financial System, Law Library Management, Privacy, Search Engines, Search Strategies