Pete Recommends – Weekly highlights on cyber security issues, October 29, 2023

Subject: NIST plans new risk evaluation methods and standards tracking for AI
Source: Nextgov/FCW

The associate director for emerging technology at the National Institute of Standards and Technology said the evaluations are designed to identify potential harms from AI systems before they are deployed.

Elham Tabassi, the associate director for emerging technology at NIST, testified before the House Science, Space and Technology Committee on Wednesday, saying that her office is working to build upon its existing AI guidance offerings with new evaluation methods and a standards tracking system.

These new evaluation efforts will primarily look at the socio-technical aspects of AI systems to determine whether they are safe enough for deployment.

“In particular, the evaluations have the goal of identifying risks and harms of AI systems before they are deployed, and to establish metrics and evaluation infrastructure that will allow AI developers and deployers to detect the extent to which AI systems exhibit negative impacts or harms,” Tabassi said.

The forthcoming evaluations support NIST’s goals to prioritize measuring the societal robustness of AI systems, not just the technical aspects.



Subject: The Race to Avert Quantum Computing Threat With New Encryption Standards
Source: NYT

They call it Q-Day: the day when a quantum computer, one more powerful than any yet built, could shatter the world of privacy and security as we know it.It would happen through a bravura act of mathematics: the separation of some very large numbers, hundreds of digits long, into their prime factors.That might sound like a meaningless division problem, but it would fundamentally undermine the encryption protocols that governments and corporations have relied on for decades. Sensitive information such as military intelligence, weapons designs, industry secrets and banking information is often transmitted or stored under digital locks that the act of factoring large numbers could crack open.

The White House and the Homeland Security Department have made clear that in the wrong hands, a powerful quantum computer could disrupt everything from secure communications to the underpinnings of our financial system. In short order, credit card transactions and stock exchanges could be overrun by fraudsters; air traffic systems and GPS signals could be manipulated; and the security of critical infrastructure, like nuclear plants and the power grid, could be compromised.

No one knows when, if ever, quantum computing will advance to that degree. Today, the most powerful quantum device uses 433 “qubits,” as the quantum equivalent of transistors are called. That figure would probably need to reach into the tens of thousands, perhaps even the millions, before today’s encryption systems would fall.

President Biden late last year signed into law the Quantum Computing Cybersecurity Preparedness Act, which directed agencies to begin checking their systems for encryption that will need to be replaced.

Despite the serious challenges of transitioning to these new algorithms, the United States has benefited from the experience of previous migrations, such as the one to address the so-called Y2K bug and earlier moves to new encryption standards. The size of American companies like Apple, Google and Amazon, with their control over large swaths of internet traffic, also means that a few players could get large parts of the transition done relatively nimbly.

See also: NIST initiated a process to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms.  Full details can be found in the Post-Quantum Cryptography Standardization page.

Subject: Week in review: Cybersecurity cheat sheets, widely exploited Cisco zero-day, KeePass-themed malvertising
Source: Help Net Security

Lot’s of abstracts from last week. Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: …Previous Week in Reviews:

Subject: Microsoft announces Security Copilot early access program
Source: BleepingComputer

Microsoft announced this week that its ChatGPT-like Security Copilot AI assistant is now available in early access for some customers.Security Copilot, Redmond’s AI-driven security analysis tool, makes it faster for security teams to counter threats using Microsoft’s global threat intelligence expertise and the latest large language models.

This AI assistant, reminiscent of ChatGPT, answers to security questions from defenders, learning and adapting from interactions to tailor its recommendations to each enterprise environment. Its capabilities include instant incident summaries, rapid guided responses, simplified natural language queries, and real-time malware analysis.

Moreover, Security Copilot helps defenders detect previously unknown threats by analyzing attack data and correlating threat activity signals.

As Vasu Jakkal, Microsoft’s Corporate Vice President for Security, Compliance, and Identity revealed, it now also integrates with Microsoft’s 365 Defender Extended Detection and Response (XDR) platform. Participants in the Early Access Program will also have access to Microsoft Defender Threat Intelligence data at no cost.


Subject: Victims of Deepfakes Are Fighting Back
Source: Gizmodo

A new documentary lays bare the personal trauma pornographic deepfakes cause and the steps victims are taking to reclaim their lives.Anyone who’s spent a moment observing US political chatter in recent months has probably encountered the following prediction: 2024 will yield the world’s first deepfake election. Rapidly evolving AI video and audio generators powered by large language models have already been used by both Donald Trump and Ron DeSantis’ presidential campaigns to smear each other and fakes of current President Joe Biden seem to proliferate on a regular basis. Nervous lawmakers—possibly worried their faces may also soon wind up sucked into the AI-generated quagmire—have rushed to propose more than a dozen bills trying to reign in deepfakes on the state and federal levels.

AI-generated pornography, which still makes up the overwhelming majority of nonconsensual deepfakes, has tormented thousands of women for over half a decade, their stories often buried beneath the surface of mainstream concerns. A group of deepfake victims are attempting to lift that veil by recounting their trauma, and the steps they’ve taken to fight back against their aggressors, in a shocking new documentary called Another Body.

Subject: Microsoft Fixes Excel Feature That Forced Scientists to Rename Human Genes
Source: Gizmodo

[from the “computer ate my homework” dept … ] Microsoft now allows users to disable automatic date conversion, which means scientists no longer have to worry about using alternative names for genes.Microsoft recently published a blog highlighting new Excel updates that allow users to disable Automatic Data Conversion. This comes as good news for the scientists, because in recent years they had to rename quite a few human gene names—since Excel was converting them to dates.For a little bit of context, each gene is given a name and a symbol, with the latter usually being an alphanumeric character. So, for instance, Membrane Associated Ring-CH-Type Finger 1 is shortened to MARCH1. However, Excel used to misread that as a date and would convert it to “1-Mar”….

+ comments

Subject: Google’s Chrome Browser Will Help You Hide Your IP Address
Source: Gizmodo

If you’re on the internet browsing with the recently redesigned Google Chrome, you’re probably not the most privacy-minded person out there. Still, the world’s most popular browser is gearing up to allow users to hide their IP address from websites, even without a VPN.Google has been building up this IP Protection feature to try and cut down on cross-site tracking by associating users and their activity with their IP addresses. It’s a kind of covert tracking that’s potentially even more devilish than the regular cookie, as there are few ways to block sites from recognizing users’ IP addresses and associating it with their activity. The feature would essentially create a proxy IP address, meaning select sites won’t be able to know who is trawling their page. The news was spotted by BleepingComputer.

After this first test, Goldstein wrote that the IP Protection will start using a two-hop proxy, essentially a proxy for the initial proxy that would be run by an external network.

Subject: FTC Plans to Address Internet’s Impact on Kid’s Mental Health
Source: Gizmodo

The Federal Trade Commission (FTC) will look to add child psychologists to its staff to advise its efforts on regulating the internet. Democratic Commissioner Alvaro Bedoya said the FTC plans to add a psychologist to its staff by next fall, if not sooner, and said he is embarrassed he hasn’t previously focused on how the media impacts children.The FTC currently isn’t able to adequately look into allegations that the internet is causing mental health problems in children because the commission doesn’t have any full-time experts in psychology on staff, Bedoya told The Record on Monday. He says FTC Chair Lina Khan is on board with the plan and is part of a larger effort to hold media outlets accountable for the effect they have on kids and teens.

The FTC has been presented with research that claims the internet is causing depressive symptoms in children, but Bedoya says he doesn’t have the expertise to make a sound judgment for whether the child is simply sad or if there is a correlation between internet use and mental health harm.

Subject: Without a Trace: How to Take Your Phone Off the Grid
Source: The Markup

A guide on anonymizing your phone, so you can use it without it using you

When I joined the team in August, my first order of business was making sure I had a secure way to connect with the people trusting me with their lives, while simultaneously keeping myself safe. I needed an off-the-grid phone.

In today’s hyper-connected era, the lengths some are going to preserve their phone anonymity are undeniably intricate. While not a path for everyone, this approach paints a vivid picture of the extreme measures individuals are willing to take in the name of privacy.

As for me, I keep a copy of Wesley’s guide tucked away, so I don’t forget the many, many rules of how to master this cash-gift-card-SIM-phone-wipedown operation. I want my sources—and people on the fence on whether or not to trust me—to know that I am committed to protecting their identity, privacy, and stories.


Subject: Kevin Novak – Some LLRX articles by Kevin Novak
Source: Author archives

Author archives

2040 Digital Founder and CEO Kevin Novak has spent nearly two decades helping organizations find their place in the digital world. He’s a four-time winner of the prestigious Webby Award from the International Academy of Digital Arts and Sciences (IADAS). A seasoned association, business and government executive, he’s the former vice president of new business development and digital strategies for the American Institute of Architects. He built the association’s digital strategy, and led product and partnership development to maximize existing revenue streams and build new ones. Previously, as chief digital officer and director education outreach at the Library of Congress, Novak built a centralized digital division to bring the Library’s many disparate websites into a cohesive experience and serve more than 22 million digitized items from its collections. He led several key Library initiatives, including the World Digital Library and the Library of Congress Experience, and built the Library’s partnerships with Google, Flickr, Microsoft, Stanford University, and One Laptop Per Child. He serves on the Executive Committee and Board of Directors for the Business Information Association (BIA-Connectiv), the Software Information Industry Association (SIIA) and the Specialty Information Publishers Association (SIPA), and has chaired working groups for the W3C Electronic Government work group, the U.S. National Research Council/National Academies, and the MOBI Foundation. Kevin holds a BA in Social Sciences from the University of Pittsburgh and an MBA and a MS in Technology Management from the University of Maryland where he is currently an Adjunct Professor teaching Digital Society and Marketing courses.

Copyright © 1996-2023 LLRX®

Subject: Flipper Zero can now spam Android, Windows users with Bluetooth alerts
Source: BleepingComputer

A custom Flipper Zero firmware called ‘Xtreme’ has added a new feature to perform Bluetooth spam attacks on Android and Windows devices.A security researcher previously demonstrated the technique against Apple iOS devices, inspiring others to experiment with its potential impact on other platforms.

The main idea behind the spam attack is to use Flipper Zero’s wireless communication capabilities to spoof advertising packets and transmit them to devices in range of pairing and connection requests. This type of spam attack can confuse the target, make it difficult to discern between legitimate and spoofed devices, and even disrupt the user experience with non-stop notifications popping up on the targeted device.

Xtreme adds “Bluetooth spam”. Earlier this month, Flipper Xtreme announced on its Discord channel that “spam attacks” are coming in the next major firmware release. The admins even shared a demo video showcasing a denial of service (DoS) attack on a Samsung Galaxy device, where a constant feed of connection notifications renders the device unusable.


What Is Flipper Zero – Retailing at a reasonable $169, Flipper Zero is a compact, handheld penetration testing instrument tailored for hacking enthusiasts spanning a range of skill levels. Though its dimensions are unassuming, being even smaller than a typical mobile device, its capabilities are vast. This gadget comes equipped with an assortment of radios and sensors, making it possible to detect and replicate signals from a variety of wireless devices like keyless systems, IoT devices, garage openers, NFC and RFID cards, and more. A product of open-source initiatives, it received significant backing and support during its Kickstarter campaign in 2020.
Posted in: AI, Congress, Cybercrime, Cybersecurity, Legal Research, Privacy