Subject: Week in review: VMware ESXi servers under attack, ChatGPT’s malicious potential, Reddit breached
Source: Help Net Security
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos…
Subject: Now for sale: Data on your mental health
Source: Waashington Post via Mastodon @bespacific
Source: ABA via beSpacific
ABA: “Re-posters of digital content are not liable for statements they did not author. Only the original creators of digital content can be held liable for defamatory statements, not the re-posters of slanderous posts. The court in Banaian v. Bascom held that persons who reshared original content should not be held to the same standard as those who originally created the content. In so doing, the court analyzed a portion of the Communications Decency Act (CDA) in determining that the statute’s plain meaning safeguards all re-posters of content that other authors first create and share…”–
Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.
Source: U.S. GAO
Fast Facts – Federal systems are vulnerable to cyberattacks. Our High Risk report identified 10 critical actions for addressing federal cybersecurity challenges.
In this report, the last in a series of four, we cover the 2 actions related to Protecting Privacy and Sensitive Data:
- Improve federal efforts to protect privacy and sensitive data, such as reducing the cybersecurity risks in retirement plans
- Improve the protection of federally collected and maintained personal and sensitive data
We’ve made 236 public recommendations in this area since 2010. Nearly 60% of those recommendations had not been implemented as of December 2022.
Federal prosecutors are squinting pretty hard, trying to keep an eye on what the failed FTX founder Sam Bankman-Fried has been doing while he’s been ordered by the court to live under his parents’ roof. The young crypto founder has reportedly been accessing the internet using a VPN, and the U.S. Attorneys Office is concerned that could mean he’s accessed crypto services or is communicating with folks involved in the case.In a letter sent to New York federal Judge Lewis Kaplan on Monday, prosecutors said Bankman-Fried used a VPN on Jan. 29 and Feb. 12. This had them concerned that SBF was trying to keep his activities hidden from government surveillance.
Of course, VPN use is not in and of itself any sign of trying to get around those who might track online activity, although VPNs are widely used against surveillance, and to access content that’s restricted in a home country. Prosecutors are concerned it could mean SBF could be trying to trade crypto, which would violate the conditions of his bail.
Source: Becker’s Healthcare
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a brief Feb. 13 advising healthcare organizations on how to protect their internet-connected devices and networks from Distributed Denial of Service attacks.
Eight things to know about DDoS attacks:
- Hackers are more inclined to use DDoS attacks as it is cost effective, and requires relatively low resources and technical skills.
- HHS warned that these attacks are getting more sophisticated and complex while getting easier and cheaper to perpetrate.
- Hackers can use DDoS attacks at any stage of an attack.
- DDoS attacks increased by 67 percent year-on-year and 24 percent quarter-on-quarter, according to the HHS.
- Hackers will use web application attacks, such as DDoS attacks, to target an organization’s most exposed infrastructure.
- To defend against these attacks, healthcare organizations should implement user data protocol, SYN, and transmission control protocol.
- Healthcare organizations should also work to identify services and devices that may be exposed to the public internet, vulnerabilities and how a user base connects to networks.
- ‘Killnet,’ a Russian-based hacking group recently deployed a DDoS attack on hospital and health system websites across the U.S
Source: Electronic Frontier Foundation
Table of Contents:
- Principles for A Privacy-Protective Organization
- If you’re a small organization or just getting started thinking about privacy
- If you are a more resourced organization, or one that works with marginalized populations
- Actionable Recommendations For Respecting Digital User Privacy
- Companies Must Offer Better Privacy Options By Default
[various EFF Privacy topics … ]
Subject: How to Prepare for a Lost, Stolen or Broken Smartphone
Source: New York Times
Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.
Feb. 16 (UPI) — The Justice and Commerce departments announced Thursday the start of the Disruptive Technology Strike Force to prevent top tech and digital secrets from being stolen by other countries.Last month, FBI Directory Christopher Wray expressed dire concerns about cyberattacks and hacks from Russia and China at the World Economic Forum. He said emerging global threats included ransomware, cyberattacks, and economic espionage.
“Today, autocrats seek tactical advantage through the acquisition, use, and abuse of America’s most innovative technology,” Deputy Attorney General Lisa Monaco said in a statement. “They use it to enhance their military capabilities, support mass surveillance programs that enable human rights abuses and all together undermine our values.”
The department said adversaries are looking for various advance technologies like supercomputing and exascale computing, artificial intelligence, advanced manufacturing equipment and materials, quantum computing, and biosciences.
Source: Center for Data Innovation via beSpacific
Center for Data Innovation, Patrick Grady February 13, 2023: “The EU is considering placing generative artificial intelligence (AI) tools, such as ChatGPT, in a “high risk” category in its upcoming AI bill, thereby subjecting such tools to burdensome compliance requirements. This sloppy addition needlessly stunts creativity and shows the EU is hitting the panic button instead of carefully considering the benefits and risks of new technologies. The AI Act targets so-called “high risk” applications of AI—including those used in public services, law enforcement, and judicial procedures—that must comply with the strictest requirements, including conformity assessments, technical documentation, monitoring, and oversight measures. A new proposal would dump AI systems that generate complex text (chatbots) in a new high risk category despite their low risk. AI-powered chatbots can generate complex text from limited human input and fulfill various functions, from writing recipes, poems, scripts, and articles to Internet searches, creative ideation, and summarizing texts. Like many new technologies, AI chatbots have evoked familiar panic: Doomsayers prophesize such tools will destroy education, create catastrophic redundancies, confuse and control the masses—or become sentient (and sad about it). …In addition to ChatGPT, which people already use for a range of valuable functions, this amendment would carelessly assign as “high risk” other helpful and harmless tools, including:
Feb. 16 (UPI) — For the first time, the Federal Trade Commission has filed charges against a company for so-called “review hijacking.” The FTC complaint, filed Thursday, alleges that the Bountiful supplement company manipulated product reviews on Amazon.
“Bountiful carried out this deceptive tactic by merging its new products on Amazon with different well-established products that had more ratings, reviews,” the FTC said in a press release Thursday.
The complaint alleges that Bountiful abused an Amazon feature that allows products to be displayed in “variation” relationships, where similar products with minor differences share reviews. By requesting variations for their newer products, Bountiful took advantage of products that had already received reviews, giving the impression that the new products were well-rated.
The U.S. says it’s punching back in the digital cold war over emerging technologies with a new “Disruptive Technology Strike Force.”
“Our goal is simple but essential—to strike back against adversaries trying to siphon off our best technology,” a deputy attorney general said.
The strike force, a joint initiative created by the Department of Justice and the Commerce Department reportedly, will focus on combating “adversaries” attempting to steal crucial U.S. tech secrets and attack supply chains. DOJ officials say the new agency will use a combination of “intelligence and data analytics,” to detect early warning of signs of cyber threats and, hopefully, prevent rival nations from “weaponizing data” against the U.S. The strike force will operate in 12 metropolitan regions spread out across the U.S. and include experts from the FBI and Department of Homeland Security. Intellectual property is most often stolen through cyberattack, making the Disruptive Technology Strike Force something of a “hack back” squad.
Part of that striking back could reportedly entail leaning further into proactive effects to reach out and “target illicit actors” before they get a chance to make off with valuable secrets. Monaco, according to Bloomberg, said the U.S. government is already taking action to detect and deter bad actors in addition to actively “disrupting cyber-attacks.”
The agency stated intent to strike back again and “target illicit actors” could also have long-term unintended consequences. Efforts by the DOJ or Commerce Department to launch their own proactive or retaliatory attacks against illicit foreign actors risks potentially spiraling into larger tit-for tat cyber campaigns with devastating consequences. Properly attributing the exact origins of cyberattacks is also notoriously difficult as attackers often route their attacks though other machines. That means retaliatory attacks led by the U.S. strike force could risk hav to contend with unintended collateral damage.