Pete Recommends – Weekly highlights on cyber security issues, March 25, 2023

Subject: How much will each stolen SSN cost you? How about $.75k
Source: The Register

A Florida healthcare group has settled a class-action lawsuit after thieves stole more than 447,000 patients’ names, Social Security numbers, and sensitive medical information, from its servers.Under the settlement [PDF], Orlando Family Physicians, which operates 10 clinics in central Florida, will reimburse affected patients who submit a claim by July 1, and provide them with two years of free credit monitoring. Depending on what type of private data the crooks stole, patients may receive up to $225 or, for those whose SSNs were swiped, up to $7,500.

Is your PII worth $250? Or $75k? [sic]

Subject: It’s impossible to review security cameras in the age of breaches and ransomware
Source: Android Central

I’ve been waiting for the right time to review some old indoor security cameras for the past several months. It’s not about the brand (Blink) or the cameras (which work quite well thus far!). It’s that every time I prepare to write about them, news like the recent Ring ransomware attack or Eufy’s insecure network would emerge, and I would kick my security cam reviews down the road.Why? Because I’ve become increasingly uncomfortable recommending any security camera when knowing whether or not the backend is secure has become something only bug bounty hunters and clairvoyants could safely tell you.

When I review a product, I try to be as nitpicky as possible. Not because I want to give a bad review, but because it’s my job to go past the idealized press releases and spec sheets to see the cracks beneath the surface.

My overall point is simple: Even popular security companies with seemingly impregnable encryption will make decisions that leave your private data or home feeds vulnerable — or hire someone that exploits their power in disturbing ways. And once that company finds out, there is absolutely no guarantee you’ll find out about it unless someone whistleblows or a security expert catches their mistake.

Subject: Kremlin Says Russian Diplomats Should Stick With Flip Phones
Source: Gizmodo

While governments around the world are racing to place restrictions on TikTok over perceived espionage and security concerns, Kremlin leaders in Moscow have their sights set on another target: smartphones. The officials, according to Russian newspaper Kommersant, have advised staff involved with President Vladimir Putin’s 2024 presidential re-election campaign to ditch iPhones—any U.S.-made phone, really—in favor of more “secure” alternatives over fears of potential interference from Western intelligence agencies. Russian officials speaking with The Moscow Times, however, appeared to broaden the device’s scope beyond Apple.

Russia embraced even more Chinese tech following Ukraine invasion.

Banning diplomats’ smartphones wouldn’t be the first time Moscow officials took a stance against foreign technology firms. Earlier this year the government passed a new law restricting government officials’ use of nine foreign instant messaging apps including Discord, WeChat, Microsoft Teams, Telegram, and WhatsApp. Prior to that, officials warned they would consider banning Zoom if the California-based video conferencing firm moved forward with its effort to block the service from Russian government agencies. Russia’s top internet regulator Rozkomnadzor similarly banned most Meta products in the country last year due to the company’s stance on the war in Ukraine, labeling the company an “extremist organization” on par with ISIS and Al-Qaeda.

Subject: How to combat hardware Trojans by detecting microchip manipulation
Source: Help Net Security

Not only do security vulnerabilities lurk within software, but they can also be embedded directly into hardware, leaving technical applications open to widespread attack.Researchers from Ruhr University Bochum, Germany, and the Max Planck Institute for Security and Privacy (MPI-SP) are pioneering innovative detection techniques to combat these hardware Trojans. Their advanced algorithm can identify discrepancies by comparing chip blueprints with electron microscope images of the actual chips. This groundbreaking method successfully detected irregularities in 37 out of 40 cases.

The research team has generously made available all chip images, design data, and analysis algorithms online at no cost, enabling fellow researchers to access and utilize these resources for their own investigations and advancements in the field.

“It’s conceivable that tiny changes might be inserted into the designs in the factories shortly before production that could override the security of the chips,” explains Dr. Steffen Becker and gives an example for the possible consequences: “In extreme cases, such hardware Trojans could allow an attacker to paralyze parts of the telecommunications infrastructure at the push of a button.”

Subject: Canceling subscriptions is notoriously difficult. A proposed FTC rule wants to change that
Source: Vox

Everything is a subscription these days. And sometimes, those subscriptions are really hard to cancel — intentionally so. Sneaky companies know that the harder it is to stop paying for their services, the more money they’ll get from people who either didn’t know they were signing up for a paid service in the first place or don’t have the time to cancel it.The Federal Trade Commission announced today that it’s proposing a “click to cancel” rule, which would force businesses to make it just as easy to sign off as it was to sign up.

The click to cancel rule, which is just a notice of proposed rulemaking for now, will amend and update the existing negative option rule, which, Khan said, typically applied to businesses that sent consumers products and then charged them if they didn’t send those products back quickly. But these days, the business model has shifted from physical products you get in the mail to ongoing subscriptions for access to products or services. The agency believes its rules should be updated accordingly.

In addition to requiring businesses to make it as easy to cancel as it is to sign up, the rule would also mean new requirements that businesses better inform consumers that they’re signing up for a paid service. They would also have to get users’ express consent to pay for that service and remind them before those services are automatically renewed.



Subject: FTC Warns of ‘Terrifying’ Phone Scam Driven By AI
Source: Newser

Many of us have heard of the old hoax in which victims receive phone calls from “police” or a “doctor” (actually scammers) saying that a loved one is in trouble and needs money sent stat. Now, in what NPR says “sounds like a plot from a science fiction story,” a new twist on that tried-and-true scheme. The Federal Trade Commission issued an alert to consumers on Monday that explains how scammers are now using artificial intelligence to clone people’s voices, then calling their relatives or friends with that recording to try to swindle them….

Some other NPR articles on phone scams:

Subject: TikTok parent ByteDance owns a bunch of other popular apps. Seems relevant!
Source: Slate

For all the clamor around TikTok and its China-based parent corporation, ByteDance, one fact about them tends to get overlooked: that the Chinese company has other apps, some of which are also quite popular, including in the United States. TikTok is one of the most dominant social platforms in the world, a fact that’s made it the subject of a congressional grilling this week following the government’s threat to ban TikTok if its U.S. operations aren’t divested from ByteDance and sold to domestic owners. Still, the rest of the ByteDance portfolio is no joke, encompassing various games, photo- and video-editing tools, news aggregators, and even virtual reality software across continents. The tech behemoth, which has about seven subsidiary companies, was pumping out social apps long before it sprung TikTok upon the world—something that will still be true even if the United States does ban its golden goose….



Subject: Analysts share 8 ChatGPT security predictions for 2023
Source: VentureBeat

The release of ChatGPT-4 last week shook the world, but the jury is still out on what it means for the data security landscape. On one side of the coin, generating malware and ransomware is easier than ever before. On the other, there are a range of new defensive use cases.Recently, VentureBeat spoke to some of the world’s top cybersecurity analysts to gather their predictions for ChatGPT and generative AI in 2023. The experts’ predictions include:

  • ChatGPT will lower the barrier to entry for cybercrime.
  • Crafting convincing phishing emails will become easier.
  • Organizations will need AI-literate security professionals.
  • Enterprises will need to validate generative AI output.
  • Generative AI will upscale existing threats.
  • Companies will define expectations for ChatGPT use.
  • AI will augment the human element.
  • Organizations will still face the same old threats.

Below is an edited transcript of their responses.



Subject: A fake ChatGPT Chrome extension aims to steal your Facebook account
Source: Android Headlines

Cybersecurity experts have uncovered a fake ChatGPT Chrome extension that does not work as it claims to. This extension posed itself as a channel to integrate ChatGPT AI functions into a user’s Google search result. That in itself seemed too good to be true, considering that Google has its own AI platform.Despite this, some Chrome users proceeded to install this extension, hence exposing their Facebook accounts to bad actors. Truthfully, a ChatGPT Chrome extension is available for download, but there seems to be more attractive to the malware version. This harmful extension was made popular via a series of sponsored advertisements.

Due to the fuss around ChatGPT recently, many Chrome users clicked on the ad and unknowingly downloaded this malicious extension. Here is everything you need to know about this fake ChatGPT Chrome extension.

If you already make use of the ChatGPT4 extension on Google Chrome, it is important to check if it is original. To do this, head over to the extension manager via the puzzle icon at the top right-hand corner of the Chrome address bar. From this point, you can check the details of the extension you have via the Chrome Web Store.

Subject: We must sustain America’s Big Tech engines of innovation
Source: The Hill

Regulating Big Tech firms involves conundrums. As President Biden recently described, many Americans are concerned that technology giants such as Alphabet, Amazon, Apple, Meta and Microsoft may be threatening privacy, fueling misinformation, fostering political polarization, negatively impacting the development of young people, and possibly exacerbating our society’s economic disparities. In response, political leaders from both parties and regulatory officials are clamoring for corporate breakups as a panacea for controlling Big Tech. By contrast, judicial authorities have voiced skepticism about regulatory overreach.Regulatory debates, however, are missing a key point: Breaking up Big Tech companies could trigger unintended, and possibly irreparable, collateral damage to America’s quest to remain the world’s leader in new technologies. Regulators must grasp the reality that, in today’s voraciously competitive digital world, global preeminence requires Big Tech firms to operate at the frontier of emerging technologies and harness the synergistic co-evolution of research, product development, and manufacturing.

America’s Big Tech firms must retain the muscle to compete …

The large scale of Big Tech enables it to leverage reciprocity among research, product development platforms at scale, in the case of software, and manufacturing at scale, …


Posted in: AI, Civil Liberties, Computer Security, Cybercrime, Cybersecurity, Economy, Privacy, Social Media, Technology Trends