Pete Recommends – Weekly highlights on cyber security issues, November 18, 2023

Subject: New York to crack down on hospital cybersecurity
Source: Becker’s Healthcare – Health IT

New York is planning to tighten regulation of hospital cybersecurity practices, according to draft rules reviewed by The Wall Street Journal. [sharable]

The regulations will require hospitals to develop incident response plans, adopt secure software design practices for in-house applications and install security technologies such as multifactor identification, among other preventive measures.



Copyright © 2023 Becker’s Healthcare.

Subject: Google Sues Hackers Exploiting AI Hype With Alleged Bard Scams
Source: Gizmodo

Ads for fake versions of Google’s generative AI tool, Bard, are showing up on Facebook to steal social media accounts of U.S. small businesses, according to a lawsuit from Google filed Monday. The phony Facebook ads ask users to download Bard, but the AI doesn’t need to be downloaded – it’s a completely web-based product. Naive users actually downloaded malware that stole social media credentials and compromised their accounts. Google’s lawsuit aims to disable any current domains related to the trap and bar the alleged fraudsters, located in Vietnam and India, from setting up any more. This is considered the first lawsuit to protect users of a major tech company’s flagship AI product, Google’s general counsel Halimah DeLaine Prado said to the Wall Street Journal Monday.

In a separate lawsuit also filed on Monday, Google sued a group of bad actors who abused copyright law to wrongly remove over 100,000 businesses’ websites, costing them millions of dollars and thousands of hours in lost employee time.

Subject: Microsoft lays hands on login data: Beware of the new Outlook
Source: heise online

“The free new Outlook replaces Mail in Windows, and later also the classic Outlook. It sends secret credentials to Microsoft servers. (This is a translation of this german article.) [English]

The new Outlook is not what it seems at first glance: a replacement for Microsoft Office Outlook – at least not yet. What it definitely is, however: way too curious. Microsoft is singing the praises of the new Outlook and wants to persuade users to switch. But beware: if you try out the new Outlook, you risk transferring your IMAP and SMTP credentials of mail accounts and all your emails to Microsoft servers. Although Microsoft explains that it is possible to switch back to the previous apps at any time, the data will already be stored by the company. This allows Microsoft to read the emails….In a recent tech community article, Microsoft employee Caitlin Hart also explains that it will also replace the classic Outlook. However, unlike the Windows Mail and Calendar apps, the timetable for this has not yet been set.”

Abstracted from beSpacific
Copyright © 2023 beSpacific, All rights reserved.

Subject: Zelle Begins Refunding Scam Victims in Major Tone Shift
Source: Gizmodo

The payments platform, Zelle, will now refund victims of imposter fraud, which cost Americans $2.6 billion in losses across the industry last year.Zelle, a payments app owned by seven of America’s largest banks, began reimbursing victims of imposter scams on the platform, according to an emailed statement from the company. Early Warning Services, the network operator of Zelle, says it will process refunds for scams dating back to June, which is a change of attitude by American bankers.

Zelle has always reimbursed certain victims, like if a hacker gets into your Zelle account and steals your money. This new reimbursement policy announced Monday, however, is a different category of fraud involving imposter scams, where users are duped into sending money to a fraudulent Zelle account claiming to be someone else. America’s largest banks have long tried to escape responsibility on this front.

*BONUS Article 1*

‘I Withdrew $15,000 Three Times’: 9 PayPal Scams We Can’t Believe People Actually Fell for

One of the most common scams of the 2020s, and one that popped up repeatedly in the complaints Gizmodo obtained, is the Accidental Overpayment Scam, a type of grift the FTC has been warning Americans about since at least 2004. Essentially, the scammer pretends to be part of some big financial institution like PayPal and deposits money into your account. Sometimes the deposited money is a “refund” for a charge that only existed on a fake invoice delivered via email. This big deposit was a mistake, the scammer says, so you’re asked to pay the money back in a different way. Often, the scammer will ask to be paid back in gift cards from Target, Walmart, or Apple. But the boldest of scammers will ask for cash to be mailed, as one did in perhaps the strangest complaints we obtained. The hapless victim complied, according to the complaint.

*BONUS Article 2*

Millions of Old Bitcoin Wallets Have Critical Security Flaws, Experts Say. Bitcoin wallets older than 2016 could have a vulnerability that puts over $1 billion worth of cryptocurrency at risk, according to a report in the Washington Post.

According to Unciphered, a cryptocurrency recovery company, an untold number of crypto wallets were designed with baked-in flaws that leave a backdoor in the code that hackers could easily break open. Encrypted software systems like crypto wallets often rely on random number generators, but the company found that a significant number of wallets were built on open-source software that used numbers that aren’t nearly random enough. These vulnerable wallets use keys with numbers that are one in several thousand instead of one in a trillion, making them susceptible to brute-force attacks.

Subject: ChatGPT Has Been Turned Into A Social Media Surveillance Assistant
Source: Forbes

Social Links, a surveillance company that had thousands of accounts banned after Meta accused it of mass-scraping Facebook and Instagram, is now using ChatGPT to make sense of data its software grabs from social media.Most people use ChatGPT to answer simple queries, draft emails, or produce useful (and useless) code. But spyware companies are now exploring how to use it and other emerging AI tools to surveil people on social media.

In a presentation at the Milipol homeland security conference in Paris on Tuesday, online surveillance company Social Links demonstrated ChatGPT performing “sentiment analysis,” where the AI assesses the mood of social media users or can highlight commonly-discussed topics amongst a group. That can then help predict whether online activity will spill over into physical violence and require law enforcement action.

That’s a problem not just because this kind of technological eavesdropping could amplify inaccuracies or biases. It could also chill online discourse because everyone feels “that they’re being watched, not necessarily by humans, but by AI agents that have the ability to report things to humans who can bring consequences down on your head,” Stanley added.

ChatGPT maker OpenAI didn’t respond to requests for comment. Its usage policy says it does not allow “activity that violates people’s privacy,” including “tracking or monitoring an individual without their consent.”

He warned, however, that law enforcement must be transparent with its use of AI because of its reliability and bias issues. “There is never going to be a way of making AI unbiased,” he said, noting, as have others, that technologies programmed by humans reflect human fallibility.

Subject: Leaving Authentication Credentials in Public Code
Source: Ars Technica via Schneier on Security

Interesting article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code repository for the Python programming language. Nearly 3,000 projects contained at least one unique secret. Many secrets were leaked more than once, bringing the total number of exposed secrets to almost 57,000.


The credentials exposed provided access to a range of resources, including Microsoft Active Directory servers that provision and manage accounts in enterprise networks, OAuth servers allowing single sign-on, SSH servers, and third-party services for customer communications and cryptocurrencies. Examples included:

Site RSS feed:

Posted in: AI, Cybersecurity, E-Commerce, Economy, Healthcare, Privacy, Social Media