Pete Recommends – Weekly highlights on cyber security issues, August 19, 2023

Subject: ‘Redacted Redactions’ Strike Again
Source: The Intercept via RISKS Digest

Henry Baker <[email protected]> Thu, 20 Jul 2023 15:27:05 +0000I’d like to coin the neologism “outcroppings” for these redacted redactions. “An outcropping is rock formation, a place on the earth where the bedrock underneath shows through.” Perhaps ‘natural emergence’ has come a cropper? Oops! HOUSE REPUBLICANS ACCIDENTALLY RELEASED A TROVE OF DAMNING COVID DOCUMENTS “According to the metadata in the PDF of the report, it was created using ‘Acrobat PDFMaker 23 for Word,’ indicating that the report was originally drafted as a Word document. Word, however, retains the original image when an image is cropped, as do many other apps. Microsoft’s documentation cautions that ‘Cropped parts of the picture are not removed from the file, and can potentially be seen by others,’ going on to note: ‘If there is sensitive information in the area you’re cropping out make sure you delete the cropped areas.’ “When this Word document was converted to a PDF, the original, uncropped images were likewise carried over. The Intercept was able to extract the original, complete images from the PDF using freely available tools…”

Subject: Microsoft limits use of AI Services in upcoming Services Agreement update
Source: gHacks Tech News

Microsoft plans to update its Services Agreement on September 30, 2023. The company is informing customers about the change currently via email and other means.If you take the time to go through the lengthy services agreement, you may notice several new sections. Besides the new Microsoft Storage section, which is encompassing OneDrive and now, as attachment storage is affecting OneDrive storage quotas now, there is a new AI section that defines rules for using Microsoft’s AI-based services.

Microsoft defines AI services as “services that are labeled or described by Microsoft as including, using, powered by, or being an Artificial Intelligence (“AI”) system”. This includes then, among others, Bing Chat, Windows Copilot and Microsoft Security Copilot, Azure AI platform, Teams Premium.

Microsoft lists five rules regarding AI Services in the section. The rules prohibit certain activity, explain the use of user content and define responsibilities.

The first three rules limit or prohibit certain activity. Users of Microsoft AI Services may not attempt to reverse engineer the services to explore components or rulesets. Microsoft prohibits furthermore that users extract data from AI services and the use of data from Microsoft’s AI Services to train other AI services….Interested users can check out Microsoft’s list of all the changes of the September 30, 2023 Services Agreement update here.

Closing Words

Microsoft is betting on AI and it was only a matter of time before it would add regulations to its Services Agreement that limit and regulate user interactions with these services in writing. (via Born)

Site RSS:

Subject: Diligere, Equity-Invest Are New Firms of U.K. Con Man
Source: Krebs on Security

John Clifton Davies, a convicted fraudster estimated to have bilked dozens of technology startups out of more than $30 million through phony investment schemes, has a brand new pair of scam companies that are busy dashing startup dreams: A fake investment firm called Equity-Invest[.]ch, and Diligere[.], a scam due diligence company that Equity-Invest insists all investment partners use. A native of the United Kingdom, Mr. Davies absconded from justice before being convicted on multiple counts of fraud in 2015. Prior to his conviction, Davies served 16 months in jail before being cleared on suspicion of murdering his third wife on their honeymoon in India.

John Clifton Davies was convicted in 2015 of swindling businesses throughout the U.K. that were struggling financially and seeking to restructure their debt. For roughly six years, Davies ran a series of firms that pretended to offer insolvency services. Instead, he simply siphoned what little remaining money these companies had, spending the stolen funds on lavish cars, home furnishings, vacations and luxury watches.

In April 2023, KrebsOnSecurity wrote about Codes2You, a recent Davies venture which purports to be a “full cycle software development company” based in the U.K. The company’s website no longer lists any of Davies’ known associates, but the site does still reference software and cloud services tied to those associates — including MySolve, a “multi-feature platform for insolvency practitioners.”

Other articles:

Subject: A Clever Honeypot Tricked Hackers Into Revealing Their Secrets
Source: WIRED

Security researchers set up a remote machine and recorded every move cybercriminals made—including their login details.

For the past three years, hapless cybercriminals trying to steal data or deploy malware have been stumbling upon a virtual machine hosted in the United States. Like countless others, this machine’s weak password could easily be cracked. But, unbeknown to the hackers, the remote machine they’ve been accessing is a trap.

Every time one of the 2,000-plus attackers forced their way into the machine, researchers at cybersecurity firm GoSecure could watch their every move. Secretly, they recorded the machine’s screen, observing every mouse click and keyboard tap, as well as stealthily grabbing any data copied onto the clipboard of the attacker’s own devices.

An analysis of more than 100 hours of screen recordings from the attacks—an arguably unprecedented amount of data about the behavior of cybercriminals in action—shows the hackers gave away many of their most precious secrets. They inadvertently revealed the hacking tools they use and how they use them and what they do when they break into a system. Those foolish enough to log in to their personal email accounts also handed over details about their lives away from the keyboard.

The new analysis by the GoSecure researchers, which is being presented at the Black Hat security conference in Las Vegas today, offers a detailed look at how those abusing RDP operate. Bilodeau says the team set up the RDP honeypot in January 2020 and created it outside of GoSecure’s systems so no data was put at risk. The researchers then used their homemade RDP interception tool, PyRDP, to capture the hackers in the act.

Despite this, watching the attackers reveals the way they behave, including some more peculiar actions. Bergeron, who has a PhD in criminology, says the attackers were sometimes “very slow” at doing their work. Often she was “getting impatient” while watching them, she says. “I’m like: ‘Come on, you’re not good at that’ or ‘Go faster’ or ‘Go deeper,’ or ‘You can do better.’”


Subject: Data Breaches and Lawyers: Highlights from IBM’s 2023 Report
Source: Clio — Lawyer Blog & News

H/T Sabrina. IBM Security recently released its 2023 Cost of a Data Breach Report [free reg. req’d]. This report studied 553 organizations that experienced data breaches between March 2022 and March 2023 to help IT, risk management, and security leaders understand the impact.Why should lawyers pay attention to this report on data breaches?For one, a recent global cyberattack targeted, among others, three of the top Biglaw firms in the world. Furthermore, according to the American Bar Association’s 2022 Legal Technology Survey Report, 27% of law firms reported having experienced a security breach at some point. In our increasingly interconnected society, and in a profession that demands data security, lawyers simply can’t afford a data breach. Yet, over one-quarter of firms report that they’ve experienced one.

Below, we’ll provide some highlights from IBM’s 2023 Cost of a Data Breach Report and delve into how lawyers can avoid a data breach.

Watch our webinar on Legal Cyber Security here for even more actionable tips on how to protect your firm.


Highlights from IBM’s 2023 Cost of a Data Breach Report
What does a data breach look like for lawyers?
Why lawyers must take data breaches (and data security) seriously
Protecting your law firm from a data breach

FYI: Clio blog:

Subject: Two Women Accuse Tile of Marketing Its Devices as Stalking Aids
Source: Gizmodo

Two alleged stalking victims filed a class-action lawsuit against Tile and its parent company Life360 Monday accusing the companies of failing to implement useful safety features and of mounting advertising campaigns that encouraged stalking. They also accuse the company of tanking the case against their alleged stalker, who they say used Tile to track them relentlessly, by failing to comply with subpoenas.“From the moment of the Tile tracker’s release, Tile marketed its product both explicitly and implicitly for the purpose of tracking people—particularly women,” the complaint says. “Despite having knowledge of the propensity for misuse of the Tile tracker, Tile waited nine years before implementing any type of safety feature on its trackers. Worse still, shortly after the introduction of those safety features, the company released a mechanism by which Tile owners could disable the features, thereby intentionally thwarting any recourse or protection a potential victim might have.”

Tile’s tracking tags have far less robust safety features than Apple AirTags, the company’s main competitor. After nearly a decade of operating, Tile rolled out its first major anti-stalking tool last year after mounting controversy over safety concerns. The feature, called “Scan and Secure,” lets you check if there are any Tile trackers nearby. However, because Tile says it’s primary purpose is theft-prevention, you have the option to disable the anti-stalking tech, presumably so would-be thieves don’t know they’re being tracked. To disable the feature, you have to provide Tile with an ID, and agree to a $1 million fine if you use a Tile product for stalking.

Subject: National Archives will make its AI use case inventory public
Source: FedScoop

The National Archives, the federal agency responsible for maintaining government records, plans to release an inventory of its artificial intelligence use cases on in the coming days. The agency has already begun pilots of certain artificial intelligence and machine learning systems, so its plans to publish a public inventory mark a significant step forward for government transparency over growing use of this technology.A 2020 executive order, EO 13960, requires federal agencies to produce inventories of their AI use case, and subsequent guidance from the CIO Council requires the lists to be published both to, an internal federal information sharing platform, and publicly on each agency’s website. NARA confirmed that it plans to publish a public inventory in response to questions from FedScoop.

Subject: Top Biden tech priorities stalled by misalignment between federal IT teams
Source: FedScoop

A significant lack of prioritization and strategic vision from key technology leaders at the White House’s U.S. Digital Service, Office of Management and Budget and the General Services Administration has caused massive delays in critical improvements to government websites that millions of Americans use every day, according to multiple current and former government IT officials. Five current and former federal officials familiar with the matter said the “failure” of senior leaders to prioritize digital experience projects — central to the Biden administration’s federal technology agenda — have caused severe delays to implementation of the 21st Century Integrated Digital Experience Act (IDEA Act), which Congress passed in 2018. In particular, they told FedScoop that a lack of coordination and consensus between the three agencies has stymied progress.


Posted in: AI, Cybercrime, Cyberlaw, Cybersecurity, Government Resources, KM, Legal Research