Pete Recommends – Weekly highlights on cyber security issues, September 16, 2023

Subject: The Absence of Data Privacy Law is a National Security Threat
Source: The National Interest

Informational technology companies’ involvement in aiding and abetting foreign intelligence activities in alleged human rights violations must continue to face scrutiny. by Jong Min Lee

On April 18, 2007, a Chinese man named Wang Xiaoning filed a lawsuit at the U.S. Federal Court in the Northern District of California over his arrest by the Ministry of Public Safety for his pro-democracy activities. His detainment in China involved torture by the authorities. Despite his cautiousness in utilizing pseudonyms and publishing pro-democratic materials anonymously, the arrest was made possible through cooperation from American multinational technology company Yahoo, which handed over private email records, copies of email messages, and other content of the electronic communications. This has led to national attention in the United States. However, the case was later withdrawn after the plaintiff received an undisclosed settlement amount from Yahoo.

With the sixteen-year-old legal precedent of Xiaoning v. Yahoo!, Inc. (2007), there’s been a shadowy history of U.S. businesses’ contributions to China’s mass surveillance and censorship programs. As uncovered through Doe I v. Cisco Systems, Inc. (2014), it has been an open secret that Cisco was involved in the development of China’s notorious censorship program, the Golden Shield Project, in the 1990s to early 2000s. Based on the timeline of these events, which is a decade old, these cases may no longer seem to be relevant in the present day. But as the human rights violations of Uyghurs and intelligence activities of China have been highlighted throughout the exacerbation of U.S.-China relations, the informational technology companies’ involvement in aiding and abetting foreign intelligence activities in alleged human rights violations will continue to face scrutiny.

Blog topic:

RSS feed:

Subject: How Google Assistant and Amazon Alexa Target You With Ads
Source: Consumer Reports

Voice assistants can profile you based on your interactions, a new study findsBut what happens when you use voice assistants like Amazon’s Alexa, Google’s Assistant, or Apple’s Siri? If you have a smart speaker in your kitchen, does its manufacturer use your questions and commands to feed its marketing databases with information about you?

The answer is often yes, according to a new study from Northeastern University in Boston, which found evidence that Google and Amazon—but not Apple—use your voice interactions to draw conclusions about you. Based on what you say to the devices, Google infers things like your marital status and homeowner status, while Amazon notes products you may be interested in.

If you want to opt out of targeted advertising entirely, you can do that too. Doing so will go further than just limiting how companies can use your voice assistant interactions—it’ll stop them from using any details they’ve guessed about you to choose what advertising you see. (It won’t reduce advertising, though—you’ll just get more generic ads.)

More on Data Privacy:

Subject: China is using AI photos to mislead American voters
Source: Android Headlines

Microsoft analysts reported that China uses AI-generated content to trick American voters ahead of the 2024 election. The tech company also says Chinese agents are getting better at doing this. Concerns about election safety are arising as we get closer to the US 2024 presidential election. Back in 2016, Russia was accused of meddling in the election. Now, Chinese agents are reportedly trying to influence American public opinion with AI photos. Ex-Google CEO Eric Schmidt already predicted that the upcoming US election could become a “mess” due to AI.

According to the Microsoft analysts report, China and North Korea currently employ AI-generated content to target voters. The scope of their operation is said to be greater than anything already seen.

“We have observed China-affiliated actors leveraging AI-generated visual media in a broad campaign that largely focuses on politically divisive topics, such as gun violence, and denigrating US political figures and symbols,” Clint Watts, the Microsoft Threat Analysis Center general manager, said.


RSS feed:

Subject: Associated Press warns that AP Stylebook data breach led to phishing attack
Source: BleepingComputer

The Associated Press is warning of a data breach impacting AP Stylebook customers where the attackers used the stolen data to conduct targeted phishing attacks.The AP Stylebook is a commonly used guide on grammar, punctuation, and writing style for journalists, magazines, and newsrooms worldwide.This week, the Associated press warns that an old third-party-managed AP Stylebook site that was no longer in use was hacked between July 16 and July 22, 2023, allowing the data for 224 customers to be stolen.The stolen information includes a customer’s name, email address, street address, city, state, zip code, phone number, and User ID. For customers who entered tax-exempt IDs, such as a Social Security Number or Employer Identification Number, those IDs were stolen as well….The Associated Press also requires all AP Stylebook customers to reset their passwords on the next login….Tags:

Subject: Don’t fall for firms pushing “voice verification” bypasses
Source: The RISKS Digest

Don’t fall for firms pushing “voice verification” bypasses. Lauren Weinstein <[email protected]> Fri, 8 Sep 2023 08:37:19 -0700

A suggestion. If a firm you deal with offers to sign you up for a *voice verification* service that bypasses PINs, passwords, etc., you would be wise to decline. There are increasing reports of online AI voice generators being used to defraud customers via these systems. And the situation is likely to be getting only worse.

Subject: How to Prevent API Breaches: A Guide to Robust Security
Source: The Hacker News

With the growing reliance on web applications and digital platforms, the use of application programming interfaces (APIs) has become increasingly popular. If you aren’t familiar with the term, APIs allow applications to communicate with each other and they play a vital role in modern software development. However, the rise of API use has also led to an increase in the number of API breaches. These breaches occur when unauthorized individuals or systems gain access to an API and the data it contains. And as victims can attest, breaches can have devastating consequences for both businesses and individuals. …

Subject: MGM Site Down, Users Speculate It May Have Been Hacked
Source: VegasSlotsOnline

  • MGM’s website is down, including on-site computer systems like withdrawals
  • Some users have taken to X to suggest that MGM may have been hacked

MGM has made no comment but was hacked in 2019, exposing guest details

Multiple other X users have also posted regarding the issue. Commenting at 3.40am Monday morning, one user named Connor O’brien said MGM ATMs and withdrawals had been inactive for the past six hours. He added: “Wonder how much MGM is losing per minute.”


Subject: Hackers Are Salivating Over Electric Cars
Source: The Atlantic

[h/t Sabrina]

The rise of “smartphones on wheels” is ushering in cybersecurity risks that have never before existed on America’s roads.When a group of German hackers breached a Tesla, they weren’t out to remotely seize control of the car. They weren’t trying to access the owner’s WiFi passwords, nor did they want a way to steal credit-card numbers from a local electric-vehicle charging network.

Their target was its heated seats.

As part of the move toward electric cars, most automakers are copying Silicon Valley’s playbook and making drivers pay monthly or yearly fees to unlock new features. Sometimes those features are fairly basic, like a remote starter; in other cases they’re more advanced, like autonomous parking assistance. Accessing them typically requires just a few taps on a car’s touchscreen or its related smartphone app, the same way you might subscribe to anything else online. It’s part of why the new generation of cars is often described as “smartphones on wheels”: Cars now offer various downloadable apps, automated driver assistance, and even integration with platforms such as Spotify and TikTok. But more digital features that connect your car to the internet provide openings for data theft, tampering, and other cybersecurity risks that simply have not existed on the roads until now.

For individual drivers, security likely means making sure that your car’s software is up-to-date just as you would with your phone, or even being judicious about where and how you dole out credit-card information—something that doesn’t bode well for the multitude of apps required for EV charging. But most of us still think of our cars in terms of filling up gas, oil changes, and rotating tires, not data privacy. If the auto industry wants drivers to see cars as “smartphones on wheels”—and pay the same way—it’s got to be prepared for the worst. That, or we learn to just skip the heated seats.



Subject: Pentagon vows to use cyberspace to project power and ‘frustrate’ US adversaries
Source: CNN Politics

The Pentagon pledged to use offensive cyber operations to “frustrate” and “disrupt” foreign powers and criminals that threaten US interests in a new military strategy document released Tuesday that warns of China’s aims to dominate cyberspace.The Department of Defense’s new cyber strategy – shaped by a close study of Russia’s war in Ukraine – casts the US military’s burgeoning hacking capabilities as important to US power projection, but also acknowledges the risks of escalation in cyberspace.

The department will “remain closely attuned to adversary perceptions and will manage the risk of unintended escalation,” says the unclassified summary of the new strategy, which supersedes the Pentagon’s 2018 cyber strategy. The new document largely reinforces policies already in effect, including a commitment to actively counter US adversaries in cyberspace rather than merely play defense on US networks.

“There is a recognition that we will, as the department, need to disrupt … malicious cyber activity coming at the United States, and we have been doing so,” said Eoyang, who is deputy assistant secretary of Defense for cyber policy.

Subject: Appeals Court Upholds Public.Resource.Org’s Right to Post Public Laws and Regulations Online
Source: EFF

Technical standards like fire and electrical codes developed by private organizations but incorporated into public law can be freely disseminated without any liability for copyright infringement, a federal appeals court ruled Tuesday. Tuesday’s ruling by a three-judge panel of the U.S. Court of Appeals for the District of Columbia Circuit upholds the idea that our laws belong to all of us, and we should be able to find, read, and share them free of registration requirements, fees, and other roadblocks. It’s a long-awaited victory for, a nonprofit organization founded in 2007 by open records advocate Carl Malamud of Healdsburg, Calif., and represented in this case by the Electronic Frontier Foundation (EFF) with co-counsel Fenwick & West and David Halperin.
Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

EFF: Related Issues

Related Cases – Freeing the Law with Public.Resource.Org

Subject: MGM Grand Cyberattack Allegedly Caused by 10-Minute Phone Call
Source: Gizmodo

The ransomware group allegedly took hold of MGM’s computer systems in three simple steps, according to vx-underground. “All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk,” the organization wrote in a Twitter post. “A company valued at $33,900,000,000 was defeated by a 10-minute conversation,” it added.

David Kennedy, chief executive officer of the cybersecurity company TrustedSec, told Bloomberg he wasn’t surprised by the MGM hack. “Casinos are hot right now,” he said, adding that he has responded to dozens of casino cyberattacks.

Subject: NSA, U.S. Federal Agencies Advise on Deepfake Threats > PR View
Source: NSA/CSD

FORT MEADE, Md. – The National Security Agency (NSA) and U.S. federal agency partners have issued new advice on a synthetic media threat known as deepfakes. This emerging threat could present a cybersecurity challenge for National Security Systems (NSS), the Department of Defense (DoD), and DIB organizations.

They released the joint Cybersecurity Information Sheet (CSI) “Contextualizing Deepfake Threats to Organizations” to help organizations identify, defend against, and respond to deepfake threats. NSA authored the CSI with contributions from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).

The NSA, FBI, and CISA encourage security professionals to implement the strategies in the report to protect their organizations from these evolving threats.

Read the full report here.

Visit our full library for more cybersecurity information and technical guidance.

Subject: Enterprises persist with outdated authentication strategies
Source: Help Net Security

With the attack surface expanding and the increasing sophistication of cyber threats, organizations are struggling to deliver secure and user-friendly authentication. The research uncovered that despite the emergence of modern strategies, most companies still rely on traditional approaches.Many are failing to adhere to best practices for password management, which is leaving them exposed as compromised credentials are behind more than 50% of breaches, according to the Verizon 2023 Data Breach Investigations Report.

“Authentication strategies are firmly in cybercriminals’ crosshairs,” said Michael Greene, CEO of Enzoic. “Despite this recognized vulnerability, enterprises continue to deploy archaic strategies that fail to eliminate authentication mechanisms as a threat vector. The much-hyped passwordless future is not on the horizon anytime soon for most organizations, so it’s vital to adopt modern and robust password policies that don’t add friction for users.”

Cyberattack spurs action

However, once a business suffers an authentication-related cyberattack, this is often the impetus to shore up defenses.

Following an attack:

  • 38% conduct regular security audits and vulnerability assessments
  • 28% implement MFA
  • 30% strengthen password policies
  • 26% educate users
  • However, 10% make no changes after an attack occurs!

Subject: Here’s what the Google trial is about and why you should care
Source: Android Central

The U.S. Department of Justice’s 10-week antitrust trial against Google is underway, and it has the potential to spell big trouble for the Mountain View tech giant. The Justice Department, along with several individual states, claim that Google was able to reach its status as the dominant company in search through anti-competitive means. Now, the company has reached monopoly status and everything needs to be investigated. It’s a highly watered-down set of claims, as U.S. district court judge Amit Mehta dismissed the claims that Google also engaged in anti-competitive behavior enabled by its dominance, harming companies like Yelp and Tripadvisor through Google Search, in early August. Nevertheless, Google is finally facing some consequences for its actions, even if it dodged a bullet here.

The case hinges on several things, namely, is Google a monopoly when it comes to search, has the company caused any real harm, and is what it did actually anti-competitive? It also is in court over allegations based on laws written over 100 years ago, so much of how anything can be interpreted is up to one judge. What did Google do wrong?…

Posted in: AI, Civil Liberties, Communications, Comparative/Foreign Law, Cybercrime, Cyberlaw, Cybersecurity, Human Rights, Legal Research, Privacy