Subject: Hello World by Julia Angwin
Source: The Markup
Subject: Armed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl Bots
Subject: One year later: Apple’s rules on data privacy force a rethink on customer engagement
Marketers are still acting as if we live in an advertising world enriched by an almost unlimited amount of available data.
Source: Krebs on Security
Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number….
Source: Infosec Exchange via Brian Krebbs” Mastodon
I usually avoid security predictions stories, but make an exception for Taylor Armerding’s useful Medium piece surveying different security nerds.https://armerding.medium.com/cybersecurity-experts-gaze-into-the-2023-crystal-ball-and-see-good-bad-ugly-b5f958b89b31
I found this bit from the ID Theft Resource Center to be spot-on: “The number of data breach notices that reveal less information about a compromise will continue to grow, putting more people and businesses at risk. “Two years ago, only a handful of notices didn’t have good information, but the percentage has accelerated through 2022. We think, anecdotally, that it’s due to a series of federal court rulings that you must have suffered actual harm from a breach before you can sue a company.”
Source: The Hacker News
Multiple bugs affecting millions of vehicles from 16 different manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners.The security vulnerabilities were found in the automotive APIs powering Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota as well as in software from Reviver, SiriusXM, and Spireon.
The flaws run a wide gamut, ranging from those that give access to internal company systems and user information to weaknesses that would allow an attacker to remotely send commands to achieve code execution.
“If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely,” the researchers noted.
Subject: ASK US ANYTHING about our reporting on telehealth startups
Source: The Markup via newsie.social
We analyzed web traffic across 50 #telehealth sites with @STAT and saw that almost all were sending users’ personal information to some of the world’s largest advertising platforms.Questions about what we found or how we found it? Let us know in the replies and our team will be responding this week.#MedMastodon #MentalHealth #Privacy
Subject: US Supremes deny Pegasus spyware maker’s immunity claim
Source: The Register
The US Supreme Court has quashed spyware maker NSO Group’s argument that it cannot be held legally responsible for using WhatsApp technology to deploy its Pegasus snoop-ware on users’ phones.Facebook and its WhatsApp subsidiary sued the notorious Isreal-based software company in 2019, alleging that NSO exploited a zero-day bug in WhatsApp to remotely drop Pegasus on about 1,400 smartphones belonging to attorneys, journalists, human rights activists, political dissidents, diplomats and other senior foreign government officials in multiple countries.
Pegasus, of course, is the now-infamous malware that NSO claims is only sold to legitimate government agencies — not private companies or individuals — and can only be used “for the purpose of preventing and investigating terrorism and other serious crimes,” despite numerous reports from Citizen Lab, Google, and the media of the malicious code being used to spy on journalists, activists, and politicians by their opponents.
Once installed on a victim’s device, Pegasus can, among other things, secretly snoop on that person’s calls, messages, and other activities, and access their phone’s camera without permission.
In response to Facebook’s lawsuit, NSO asked the courts to dismiss the lawsuit on the grounds that the immunity of foreign states from prosecution also applies to non-governmental vendors. After the lower courts rejected its argument, NSO appealed to the US Supreme Court, which today denied [PDF] its case, thus kicking it back to the Court of Appeals.
Only a few months after they officially became available, a security researcher and his friends have managed to pwn California’s new digital license plates.Yes, for the past several years, Cali has been on a weird mission to digitize its car tags. Advocates claims that this modernization effort will offer a host of benefits to drivers, including “visual personalization” and easy in-app registration renewal, but security experts have long warned that if you hook your plates up to the web, somebody will inevitably try to mess with them.
The National Archives and Records Administration has widened its digital records retention guidance for federal government agencies to include other forms of electronic messaging such as text messages.In a bulletin issued Jan. 5, the federal agency set out new rules requiring the preservation of all communication about government business on electronic messaging systems.
Electronic messaging systems are defined as systems that “allow users to send communications in real-time or for later viewing,” and explicitly include texts, chats and instant messages.
“This bulletin recognizes that the use of additional types of electronic messaging often now replaces conversations previously occurring over email,” NARA said in the fresh guidance.
Source: Sensei Enterprises, Inc.
Artificial intelligence is all the rage these days. We see various forms of AI used in our lives every day. Real world data is used to train the AI algorithms to improve accuracy. Where does the training data come from? The short answer is you. Adobe found itself in the headlines when it was revealed that Adobe uses user content stored in Creative Cloud services to train AI algorithms by default. The Register reported that users will need to opt out of the service if they don’t want their data to be AI training fodder. Adobe confirmed, “When we analyze your content for product improvement and development purposes, we first aggregate your content with other content and then use the aggregated content to train our algorithms and thus improve our products and services.” Apparently, the policy has been in place for some time, but the action isn’t sitting well with some users, especially artists. To opt out, login to your Adobe account and get to the setting for Privacy and personal data. Turn off the Allow my content to be analyzed by Adobe for product improvement and development purposes setting.
Subject: Another password manager is moving beyond passwords
Source: gHacks Tech News
Subject: A college student made an app to detect AI-written text
Teachers worried about students turning in essays written by a popular artificial intelligence chatbot now have a new tool of their own. Edward Tian, a 22-year-old senior at Princeton University, has built an app to detect whether text is written by ChatGPT, the viral chatbot that’s sparked fears over its potential for unethical uses in academia….
His motivation to create the bot was to fight what he sees as an increase in AI plagiarism. Since the release of ChatGPT in late November, there have been reports of students using the breakthrough language model to pass off AI-written assignments as their own.
How GPTZero works – To determine whether an excerpt is written by a bot, GPTZero uses two indicators: “perplexity” and “burstiness.” Perplexity measures the complexity of text; if GPTZero is perplexed by the text, then it has a high complexity and it’s more likely to be human-written. However, if the text is more familiar to the bot — because it’s been trained on such data — then it will have low complexity and therefore is more likely to be AI-generated.
Source: The Hacker News
Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed EyeSpy as part of a malware campaign that started in May 2022.It uses “components of SecondEye – a legitimate monitoring application – to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers,” Bitdefender said in an analysis.
A majority of the infections are said to originate in Iran, with smaller detections in Germany and the U.S., the Romanian cybersecurity firm added.
SecondEye, according to snapshots captured via the Internet Archive, claims to be a commercial monitoring software that can work as a “parental control system or as an online watchdog.” As of November 2021, it’s offered for sale anywhere between $99 to $200.