Pete Recommends – Weekly highlights on cyber security issues, January 27, 2024

Subject: Mastodon Invite
Source: Mastodon via

You’ve been invited. You can join thanks to the invitation you have received from:

Before you proceed, please consider the ground rules set by the moderators of

Subject: Do the casino ransomware attacks make the case to pay?
Source: The Register

[h/t Sabrina] What can be learned from MGM’s and Caesars’ infosec moves.

Feature – The same cybercrime crew broke into two high-profile Las Vegas casino networks over the summer, infected both with ransomware, and stole data belonging to tens of thousands of customers from the mega-resort chains. But despite the similar characters and plots, these two stories have disparate endings — and seem to suggest two very different takeaways to corporations confronted with extortionists’ demands and the question of paying or not paying a ransom.

‘Like cutting the cheese in a packed elevator’

When looking at what ransomware payment end up funding (weapons development, oppressive regimes, more cybercrime and network intrusions), with all other things being equal, we’d assume most organizations would choose to not give in to extortion demands.

“Paying a ransom is like cutting the cheese in a packed elevator: it makes other people suffer,” Emsisoft threat analyst Brett Callow told The Register. “Put simply, companies that pay keep ransomware alive and ensure other companies will be attacked. If nobody paid, there’d be no more ransomware.”

But when looking at both casinos’ outcomes, it appears as if the clear, less painful choice is to pay the ransom.

Still, even if you’re willing to ignore the murky ethical issues around funding criminal organizations, it’s not that cut and dried.

To pay or not to pay? There are a number of factors that play into a company’s decision to pay or not pay a ransom, according to incident responders.

More Content:




Subject: AI-poisoning tool Nightshade now available for artists to use
Source: VentureBeat

It’s here: months after it was first announced, Nightshade, a new, free software tool allowing artists to “poison” AI models seeking to train on their works, is now available for artists to download and use on any artworks they see fit.Developed by computer scientists on the Glaze Project at the University of Chicago under Professor Ben Zhao, the tool essentially works by turning AI against AI. It makes use of the popular open-source machine learning framework PyTorch to identify what’s in a given image, then applies a tag that subtly alters the image at the pixel level so other AI programs see something totally different than what’s actually there.

An AI model that ended up training on many images altered or “shaded” with Nightshade would likely erroneously categorize objects going forward for all users of that model, even in images that had not been shaded with Nightshade.

Applause and condemnation – While some artists have rushed to download Nightshade v1.0 and are already making use of it — among them, Kelly McKernan, one of the former lead artist plaintiffs in the ongoing class-action copyright infringement lawsuit against AI art and video generator companies Midjourney, DeviantArt, Runway, and Stability AI — some web users have complained about it, suggesting it is tantamount to a cyberattack on AI models and companies. (VentureBeat uses Midjourney and other AI image generators to create article header artwork.)



Subject: Week in review: 10 cybersecurity frameworks you need to know, exploited Chrome zero-day fixed
Source: Help Net Security

Week in review: 10 cybersecurity frameworks you need to know, exploited Chrome zero-day fixed. Many Many overviews of some of last week’s most interesting news, articles, interviews and videos…

Subject: AT&T is trying to kill all landlines in California, which would have devastating effects
Source: The RISKS Digest

Lauren Weinstein <[email protected]> Sun, 14 Jan 2024 07:50:46 -0800

AT&T is sending out letters warning they want to kill virtually all landlines (and perhaps related data circuits where fiber is unavailable) across essentially their entire coverage area throughout California. This would have devastating effects. Related CPUC meetings will be taking place through March. Landlines provide crucial services for individuals, businesses, and other organizations in a wide variety of situations—not just emergencies when cellular and Internet service tends to rapidly fail, but also for vast numbers of people in areas with poor (or no) reliable cell service, no fiber, etc. Landlines often provide the only available communication in a wide variety of security and safety situations, from elevators to interior spaces of all sorts where cell service simply doesn’t work. Many disabled and other persons have crucial equipment that depends on landlines. Often they are not tech-savvy and do not have friends or relatives to help them through forced technology changes…

Subject: Watch out for “I can’t believe he is gone” Facebook phishing posts
Source: BleepingComputer

A widespread Facebook phishing campaign stating, “I can’t believe he is gone. I’m gonna miss him so much,” leads unsuspecting users to a website that steals your Facebook credentials. This phishing attack is ongoing and widely spread on Facebook through friend’s hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform.

As the posts come from your friends’ hacked accounts, they look more convincing and trustworthy, leading many to fall for the scam.

The phishing campaign started around a year ago, with Facebook having trouble blocking the posts as they continue to this day. However, when new posts are created and reported, Facebook deactivates the redirect link in the post so that they no longer work.

As this phishing attack does not attempt to steal two-factor authentication (2FA) tokens, it is strongly advised that Facebook users enable 2FA to prevent their accounts from being accessed if they fall for a phishing scam.


Subject: CISA, FBI release joint cybersecurity guidance covering Chinese-manufactured drones
Source: Homeland Preparedness News

Concerned about cybersecurity risks posed by Chinese-manufactured unmanned aircraft systems (UAS), the Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation (FBI) recently released guidance about those threats and advice on safeguards.The Cybersecurity Guidance: Chinese-Manufactured UAS publication focused on the threats to critical infrastructure and state, local, Tribal and territorial partners, particularly threats posed to networks and sensitive information. Several laws enacted by the Chinese government sprouted concern in the United States for their expansion of legal rights to access and control data held by firms operating in China. U.S. agencies have stated that Chinese-manufactured UAS could expose sensitive information to Chinese authorities.

Failure to secure against Chinese intervention, the report warned, could lead to exposing intellectual property to Chinese companies and costing U.S. companies their competitive advantage. It also noted that if the Chinese government gains such insights into critical infrastructure and vulnerabilities, it could lead to even greater abilities to disrupt critical services. Theft, sabotage of critical assets, and increased cyber-attacks on critical infrastructure were all among the concerns noted by the guidance.


Subject: Without clear guidance, SEC’s new rule on incident reporting may be detrimental
Source: Help Net Security

The SEC has instituted a set of guidelines “requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.” These new guidelines went into effect on December 18, 2023, which means 2024 will be an important year for enterprises and how they adhere to current security regulations.

However, critical pieces of the SEC’s regulations are lacking specificity which leaves companies to their own discretion (and confusion) of what constitutes a “material” incident, and what the full scale of penalties may be for a failure to disclose appropriately.

It’s important to recognize that cybersecurity incidents are a common occurrence for companies, but not all warrant public disclosure.

Subject: MFA Spamming and Fatigue: When Security Measures Go Wrong
Source: The Hacker News

However, cybercriminals are relentless in their pursuit of finding ways to bypass MFA systems. One such method gaining traction is MFA spamming attacks, also known as MFA fatigue, or MFA bombing. This article delves into MFA spamming attacks, including the best practices to mitigate this growing threat.

What is MFA spamming?

Subject: FTC Bans InMarket for Selling Precise User Location Without Consent
Source: The Hacker News

“InMarket will also be prohibited from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data,” the FTC said last week.

In addition, it has been ordered to destroy all the location data it previously collected subject to users’ assent, as well as provide a mechanism for consumers to withdraw their consent and request for deletion of the information previously collected.
The development makes InMarket the second data aggregator to face a ban in as many weeks after Outlogic (formerly X-Mode Social), which faced accusations that it had sold location information that could be used to track users’ visits to medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.

The disclosure comes as a joint study published by Consumer Reports and The Markup found that Meta-owned Facebook gets data on individual users from thousands of companies.

Subject: How To Use Google’s Fact Check Explorer To Verify Claims on the Web
Source: Gizmodo

Gizmodo: “It’s getting more and more difficult to know whether or not to believe what you see on the web and on social media, what with misinformation and faked content now churned out on a huge scale, but there are resources that can help you find the truth: Including a tool called Fact Check Explorer that’s maintained by Google. In Google’s words, the tool “gives journalists and fact checkers a deeper way to learn about an image or topic”, and it taps into the fact check markup feature that Google makes available to online publishers. If a reputable website has carried out a fact check on a claim, then the markup feature helps make the fact check more visible to Google. As the name suggests, Fact Check Explorer simply lets you explore all of these fact checks—…

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: Amazon France fined $35 million for worker surveillance violations

Jan. 23 (UPI) — France’s Commission Nationale Informatique & Libertes on Tuesday fined Amazon $34.67 million for illegal data tracking of workers by Amazon France Logistique.The CNIL determined Amazon illegally tracked workers’ inactivity times to such an extent that it required them to account for every minor work interruption. An idle-time indicator and latency under 10 minutes indicator that tracked scanner interruptions of between one and 10 minutes.

In the United States, Amazon last year was fined $46,875 for safety violations in its warehouses located in Aurora, Colo.; Nampa, Idaho; and Castleton, N.Y. Officials with the Occupational Safety and Health Administration cited the online retailer for exposing workers to ergonomic hazards that could lead to repetitive motion injuries and musculoskeletal disorders.

Subject: CISA Joins ACSC-led Guidance on How to Use AI Systems Securely
Source: CISA

CISA has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) on Engaging with Artificial Intelligence—joint guidance, led by ACSC, on how to use AI systems securely. The following organizations also collaborated with ACSC on the guidance:…

The guidance provides AI systems users with an overview of AI-related threats as well as steps that can help them manage AI-related risks while engaging with AI systems. The guidance covers the following AI-related threats…

Note: This guidance is primarily for users of AI systems. CISA encourages developers of AI systems to review the recently published Guidelines for Secure AI System Development.

To learn more about how CISA and our partners are addressing both the cybersecurity opportunities and risks associated with AI technologies, visit

Some CISA RSS feeds:

Subject: The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase
Source: Apple Newsroom

The Continued Threat to Personal Data: Key Factors Behind the 2023 Increase. Professor Stuart E. Madnick, Ph.D. December 2023: “Around the world, individuals’ most private, most personal data has become a target for cybercriminals. Attacks and data breaches across the globe continue to increase. Even as organizations work to fight back, cybercriminals are constantly finding new ways to access and exploit readable personal data, in particular when stored in the cloud. Last year’s study, “The Rising Threat to Consumer Data in the Cloud,” found that these threats had reached historically high levels. And now, with complete data from 2022 and most of 2023 underway, many indicators show that the threat is getting even worse. For US organizations, data breaches are now at an all-time high. In just the first nine months of 2023, data breaches in the US have already increased by nearly 20% compared to all of 2022 — and organizations around the world have faced similar trends. These attacks are increasingly impactful…”

Subject: Hackers pose as hospital revenue cycle workers to trick IT staff
Source: Becker’s Health IT

Hackers have been impersonating hospital revenue cycle workers and tricking IT staff into giving them log-in credentials to steal money from the health systems, the American Hospital Association warned.As part of the so-called “social engineering scheme,” presumably foreign-based cybercriminals steal the identities of revenue cycle employees or other finance staffers, calling IT help desks and correctly answering security questions, the AHA reported Jan. 12. They then request to reset their passwords and enroll new devices, getting full access to the employees’ accounts and diverting payments to fraudulent bank accounts.

“This scheme once again demonstrates how our cyber adversaries are quickly evolving their tactics to defeat technological cyber defenses through social engineering schemes,” said John Riggi, AHA’s national advisor for cybersecurity and risk, in the article.

Subject: Personnel security clearances, vetting processes designated as ‘high risk,’ watchdog reports
Source: FedScoop

The Office of Personnel Management and the Office of the Director of National Intelligence do not have adequate data for assessing government security clearances and other vetting processes, the Government Accountability Office said in a report released Monday. In its investigation, GAO found that data about vetting determinations or “reciprocity” — which allows for federal workers to transfer to different agencies without a new background check — was inconsistent and incomplete, presenting a high risk. The watchdog said that 2 out of 5 agencies “did not report required data to ODNI on the frequency which they determined individuals were ineligible for reciprocity,” and agencies responded that they sometimes reported data from the agency level and other times by component….

In This Story:

Subject: GSA used ‘egregiously flawed’ data to clear purchase of Chinese-made cameras, watchdog says
Source: Nextgov/FCW

The inspector general’s report noted that the acquired video conferencing cameras were not compliant with the 1979 Trade Agreements Act and contained security flaws that, in some instances, had still gone unpatched. The General Services Administration used “egregiously flawed” market research in its decision to purchase 150 Chinese-made video conferencing cameras that did not comply with U.S. trade standards, the agency’s oversight office said in a report released Tuesday.

The U.S.-based firm, which was unnamed and designated only as “Company A” in the report, provided the agency with cameras manufactured in China that did not comply with the 1979 Trade Agreements Act, and includes known security flaws that still need to be addressed, according to GSA’s Office of Inspector General.

The agency’s OIG was contacted in 2022 by an unnamed employee concerned about the purchase and use of the equipment. The procurement was greenlit by GSA CIO David Shive, and was made through GSA’s Federal Acquisition Service’s Federal Systems Integration and Management Center — or FEDSIM — in two separate orders: 70 purchased in March 2022, followed by an additional 80 in October 2022.




Subject: Zero-Click Bluetooth Attack: A Growing Threat for Unpatched Android Phones
Source: gHacks Tech News

‘Mobile Hacker’ used proof-of-concept (PoC) exploitation scripts which were released by Marc Newlin earlier this month. These scripts are freely accessible on GitHub and take advantage of the weaknesses tracked as CVE-2023-45866, CVE-2024-21306, and CVE-2024-0230 (more info). They effectively force-pair emulated keyboards through Bluetooth to different OS architectures, thereby enabling keystroke injection.What’s truly alarming about these scripts is they work on devices where Bluetooth is enabled and active, meaning they’re in an unlocked state. The attack can spring from another mobile device within Bluetooth range without requiring any interaction with the victim or leaving any noticeable signs of a breach. This vulnerability highlights the importance of keeping our devices updated and vigilant against potential threats lurking in our digital space.

These attacks are as stealthy as they sound and can impact unpatched Android phones. Let’s dive deeper to understand this modern menace.



Subject: Inside a Global Phone Spy Tool Monitoring Billions
Source: 404 Media Media

“Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability that starts with ads inside each app, and ends with the apps’ users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people to build billions of profiles, according to a 404 Media investigation.

The pervasive surveillance machine that has been developed for digital advertising now directly enables government mass surveillance. Many businesses, from app publishers to advertisers to big tech, are acting completely irresponsibly. This must end,” Wolfie Christl, the principal of Cracked Labs, an Austrian research institute and co-author of a paper published last year that researched the surveillance tool, told 404 Media…” [Source – Europe’s hidden security crisis. How data about European defence personnel and political leaders flows to foreign states and non-state actors. Irish Council for Civil Liberties (ICCL)]

RSS for 404 Media:

Subject: Wyden Releases Documents Confirming the NSA Buys Americans’ Internet Browsing Records
Source: FTC and US Senate

“U.S. Senator Ron Wyden, D-Ore., released documents confirming the National Security Agency buys Americans’ internet records, which can reveal which websites they visit and what apps they use. In response to the revelation, today Wyden called on the administration to ensure intelligence agencies stop buying personal data from Americans that has been obtained illegally by data brokers. A recent FTC order held that data brokers must obtain Americans’ informed consent before selling their data.  “The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote in a letter to Director of National Intelligence (DNI) Avril Haines today. “To that end, I request that you adopt a policy that, going forward, IC elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”…Wyden urged the DNI to direct U.S. intelligence agencies to stop purchasing Americans’ private data that was obtained unlawfully in violation of new rules outlined by the Federal Trade Commission this month. Through this case, the FTC announced that Americans must be told and agree to their data being sold to “government contractors for national security purposes,” for the practice to be allowed. Wyden, who has spent seven years investigating the data broker industry, is not aware of any company that provides such a warning to users before collecting their data.  Wyden also asked the DNI to direct intelligence agency elements to take three actions to ensure they are complying with the FTC’s latest rulings:…

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.

Subject: Using Google Search to Find Software Can Be Risky
Source: Krebs on Security

Google continues to struggle with cybercriminals running malicious ads on its search platform to trick people into downloading booby-trapped copies of popular free software applications. The malicious ads, which appear above organic search results and often precede links to legitimate sources of the same software, can make searching for software on Google a dicey affair.Google says keeping users safe is a top priority, and that the company has a team of thousands working around the clock to create and enforce their abuse policies. And by most accounts, the threat from bad ads leading to backdoored software has subsided significantly compared to a year ago.

But cybercrooks are constantly figuring out ingenious ways to fly beneath Google’s anti-abuse radar, and new examples of bad ads leading to malware are still too common.

For example, a Google search earlier this week for the free graphic design program FreeCAD produced the following result, which shows that a “Sponsored” ad at the top of the search results is advertising the software available from freecad-us[.]org. Although this website claims to be the official FreeCAD website, that honor belongs to the result directly below — the legitimate

Posted in: AI, Copyright, Cybercrime, Cybersecurity, Healthcare, Internet Trends, Legal Research, Legislative, Privacy, Search Engines, Social Media