Pete Recommends – Weekly highlights on cyber security issues, June 22, 2024

Subject: Meta hits pause on EU AI training plans under pressure
Source: The Register
https://www.theregister.com/2024/06/14/meta_eu_privacy/

Meta has caved to European regulators, and agreed to pause its plans to train AI models on EU users’ Facebook and Instagram users’ posts — a move that the social media giant said will delay its plans to launch Meta AI in the economic zone. For everyone else outside the EU, Meta will be going full steam ahead using your public social media posts to train its neural networks.

The decision to halt AI training using EU content follows complaints to data protection agencies in 11 European countries – and those agencies, led by Ireland, telling the Facebook giant to scrap the slurp.

And while this climb down has been cheered by privacy advocates, Meta called it “a step backwards for European innovation” that will cause “further delays bringing the benefits of AI to people in Europe.”

Meta on Monday said it hoped to use Europeans’ data to train its models. It promised to only use public posts and comments — not private chats and DMs — and to not use any content from anyone under the age of 18. Crucially, the biz said it would give Euro folks a chance to opt out; a safeguard not extended to the rest of the world.

More about

Subject: Wells Fargo Employees Fired for Faking Being at Their Desk
Source: Gizmodo
https://gizmodo.com/wells-fargo-employees-fired-mouse-jigglers-1851541393

Over a dozen Wells Fargo employees were fired last month for trying to fool their bosses into thinking they were working when they were not, as first reported by Bloomberg Thursday. It seems they were unsuccessful. A regulatory filing with the Financial Industry Regulatory Authority (FINRA) says the bank investigated the staff’s “simulation of keyboard activity” and let some folks go who were creating the “impression of active work.”While the filing doesn’t specify further, it appears to be referring to “mouse jigglers” that took off during the pandemic. These devices sit on your mouse or trackpad and periodically move it an inch, to simulate an active status on your work computer. You can find them on Amazon for $20 to $30, but if you’re not careful, it could also cost you your job.

Subject: Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested
Source: Krebs on Security
https://krebsonsecurity.com/2024/06/alleged-boss-of-scattered-spider-hacking-group-arrested/

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years. The Spanish daily Murcia Today reports the suspect was wanted by the FBI and arrested in Palma de Mallorca as he tried to board a flight to Italy.

“He stands accused of hacking into corporate accounts and stealing critical information, which allegedly enabled the group to access multi-million-dollar funds,” Murcia Today wrote. “According to Palma police, at one point he controlled Bitcoins worth $27 million.”

The cybercrime-focused Twitter/X account vx-underground said the U.K. man arrested was a SIM-swapper who went by the alias “Tyler.” In a SIM-swapping attack, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls sent to the victim — including one-time passcodes for authentication, or password reset links sent via SMS.

“He is a known SIM-swapper and is allegedly involved with the infamous Scattered Spider group,” vx-underground wrote on June 15, referring to a prolific gang implicated in costly data ransom attacks at MGM and Caesars casinos in Las Vegas last year.

Investigators say Scattered Spider members are part of a more diffuse cybercriminal community online known as “The Com,” wherein hackers from different cliques boast loudly about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.
One of the more popular SIM-swapping channels on Telegram maintains a frequently updated leaderboard of the most accomplished SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard currently lists Sosa as #24 (out of 100), and Tylerb at #65.

TURF WARS – Sosa and Tylerb were both subjected to physical attacks from rival SIM-swapping gangs. These communities have been known to settle scores by turning to so-called “violence-as-a-service” offerings on cybercrime channels, wherein people can be hired to perform a variety geographically-specific “in real life” jobs, such as bricking windows, slashing car tires, or even home invasions.

Categories:

Data Breaches Ne’er-Do-Well News SIM Swapping Web Fraud 2.0

Tagged:

0ktapus Caesars DoorDash fbi Group-IB King Bob lastpass Mailchimp MGM Murcia Today Noah Michael Urban Okta Scattered Spider signal SIM swapping Sosa The Com Tyler Buchanan VX-Underground
Subject: Microsoft: New Outlook security changes coming to personal accounts
Source: BeepingComputer
https://www.bleepingcomputer.com/news/security/microsoft-new-outlook-security-changes-coming-to-personal-accounts/

Microsoft has announced new cybersecurity enhancements for Outlook personal email accounts as part of its ‘Secure Future Initiative,’ including the deprecation of basic authentication (username + password) by September 16, 2024.The software giant also announced the end of support for ‘Mail’ and ‘Calendar’ apps on Windows, the deprecation of Outlook Light, and removing users’ ability to access Gmail accounts via Outlook.com.

Moving to modern authentication – Starting September 16, 2024, Basic Authentication (username and password) for Outlook clients will be phased out for all Outlook personal accounts, including Outlook.com, Hotmail.com, and Live.com.

The basic authentication method is unsafe as it sends credentials over the wire without encryption, allowing networking monitoring tools to capture them. Furthermore, browsers and other applications commonly cache basic authentication credentials until the browser is restarted, allowing them to be used by others with access to the device.

“While Basic Auth was the standard for quite some time, it also made it easier for bad actors to capture a person’s login information,” explains Microsoft.

However, these changes will cause problems for users using older apps that only support Basic Authentication, as they will no longer be able to access Outlook.com, Hotmail.com, or Live.com email accounts after September 16.

Deprecations and EoL announcements – Microsoft also announced the deprecation of the Mail and Calendar apps, encouraging existing users to migrate to the new Outlook for Windows, which offers enhanced security.

Mail and Calendar will remain on the Microsoft Store until December 31, 2024, and after that date, they will no longer be supported.

A “switch to Outlook” toggle will be added to the interfaces of both apps to streamline the migration process for impacted users.

Another deprecation is the ‘light’ version of the Outlook Web App, which reaches the end of support on August 19, 2024.

Tagged:

Subject: Sick of scams? Stop answering your phone
Source: Washington Post
https://www.bespacific.com/sick-of-scams-stop-answering-your-phone-renting-practices-and-early-adolescent-screen-use/; Washington Post [unpaywalled]:

“The first rule of avoiding scam calls is to never answer unknown numbers, and even some known ones. Curious? Bored? Worried it’s an emergency? Wait the extra minute it takes for the call to go to voice mail, then decide if it’s legitimate. Unfortunately, every year hundreds of thousands of people in the United States either ignore that golden rule or are tricked into answering. According to the Federal Trade Commission, people lost $851 million to phone scams in 2023. After email, phone scams are the most common fraud method reported to the FTC…”
Subject: 5 things to know about proactive voice assistants
Source: Android Headlines
https://www.androidheadlines.com/2024/06/5-things-to-know-about-proactive-voice-assistants.html

Proactive voice assistants are advanced versions of voice-activated technology that offer more than just reacting to commands—they predict user needs and offer assistance before being asked. This new technology uses complex algorithms to analyze user behavior, preferences, and data to predict what the user might need next, whether it’s a traffic update on the way to work or a reminder about an upcoming appointment. As voice technology becomes integrated into our daily lives, this feature can significantly improve the efficiency of it. However, this also comes with the responsibility of securely managing our personal data. One way we can do it is by using a VPN free trial which strengthens digital privacy and also defends against cyber threats. It is also important for users to be vigilant about the permissions they grant and aware of the information they share. Keeping your data secure and understanding privacy policies are crucial steps in protecting your personal information from potential misuse. Here are other essential things to know about proactive voice assistants…

Filed: https://www.androidheadlines.com/category/tech-news

Subject: Malware peddlers love this one social engineering trick!
Source: Help Net Security
https://www.helpnetsecurity.com/2024/06/17/social-engineering-malware-installation/

Social engineering users to install malwareGetting users to install malware on their computers was always a matter of finding the right lure and bypassing security protections. As the latter get better (and broader) and users’ awareness of attackers’ usual tricks increases, threat actors must adapt their tactics.

One method that is getting increasingly popular is the fake error message, whether displayed by a website or when opening an HTML document delivered as an email attachment.

If the desire or need to see the webpage/document is great, many users will go through the outlined steps to “install the root certificate”, “resolve the issue”, “install the extension”, or “update the DNS cache manually”.

“Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk,” the researchers noted.

If browsing protections and email filters fail to block these sites and emails, users are the last line of defense. “Organizations should train users to identify the activity and report suspicious activity to their security teams,” Proofpoint advises.

More about
Subject: Feds Sue Adobe for ‘Trapping’ Customers in Long, Expensive Subscriptions
Source: Gizmodo
https://gizmodo.com/adobe-federal-lawsuit-doj-creative-cloud-apm-1851544519

The U.S. government sued Adobe on Monday for allegedly “trapping” customers in its default, most lucrative subscription plan. In a complaint, the Department of Justice (DOJ) writes that Adobe locks customers into a year-long agreement that’s not effectively disclosed as such, and “ambushing” users with hefty hidden fees when they try to cancel. The DOJ specifically calls out the “Annual, Paid Monthly” or APM plan, which Adobe presents as the default option for several software products. The APM plan allows users to pay the lowest amount on the day they sign up. However, the complaint alleges Adobe hides an early termination fee (ETF) that can cost users hundreds of dollars depending on when they cancel.

Subject: HHS warns of cybersecurity vulnerability affecting healthcare
Source: Becker’s Health IT
https://www.beckershospitalreview.com/cybersecurity/hhs-warns-of-cybersecurity-vulnerability-affecting-healthcare.html

HHS is warning the healthcare sector of a cybersecurity vulnerability that could affect a “massive” number of servers. The vulnerability exists in Hypertext Preprocessor, or PHP, an open-source scripting language on Windows and Linux systems, according to HHS’ Office of Information Security and Health Sector Cybersecurity Coordination Center.

“Despite only being discovered a few days ago, cybersecurity researchers have already confirmed detected exploitation attempts involving the flaw against its honeypot servers within 24 hours of public disclosure of the vulnerability,” the June 12 sector alert said. “As with any critical vulnerability impacting many devices, once disclosed, both threat actors and researchers immediately began attempting to find vulnerable systems.”

Subject: Will there be a $600 Social Security increase this month? Officials warn of scam
Source: NXSTTV
https://www.nxsttv.com/nmw/news/social-security-administration-raises-alarm-over-600-payment-increase-scam/

Social Security-related scams are the number one government imposter scam in the United States and last year consumers reported losing more than $126.5 million to them, according to the Federal Trade Commission (FTC).

Official announcements about changes to payments can be found on the government website. Individuals are also notified directly.

When will the 2025 COLA increase be announced?

The annual cost-of-living-adjustment (COLA) for 2025 will be announced in October. Any changes will then appear in your check starting in January 2025.

The latest estimate from The Senior Citizens League projects Social Security’s COLA will be 2.57% in 2025 but that isn’t set in stone. The final amount is calculated based on the average inflation rate from July to September, which is then compared to the same period the year before.

Subject: As mobile IDs proliferate, concerns about cybersecurity and data privacy mount
Source: Route Fifty
https://www.route-fifty.com/digital-government/2024/06/mobile-ids-proliferate-concerns-about-cybersecurity-and-data-privacy-mount/397466/

New York is the latest state to adopt a mobile driver’s license. But while the technology holds promise and is convenient for users, there remain concerns.New York is rolling out mobile driver’s licenses, giving residents in the Empire State the option to ditch plastic for digital IDs—at least some of the time.With the launch, New York joins a dozen other states in offering mobile IDs. The New York Mobile ID app was announced at a press conference last week at LaGuardia Airport, where it can be used—in addition to 27 other airports—for identity verification. According to the Transportation Security Administration, New York is now the ninth state to offer digital IDs that are interoperable with the TSA’s credential authentication technology.

And as more states move towards requiring age verification to access social media and adult websites, mobile IDs will play a key role.Tim LeMaster, vice president of global systems engineering for the data security company Lookout, noted that mobile IDs are “just another application for our mobile devices,” which are already vulnerable to hacks. He pointed to recent research from his company that found that 60% of mobile devices run on outdated operating systems, meaning they can be compromised by anything from a phishing email or text message to an unsecure connection.

Still, the risk that users’ personal information could be exposed remains, potentially creating headaches for states as they wrestle with the ongoing threat of hacks and attempt to implement their own data privacy laws.

In January, the New York Civil Liberties Union’s Surveillance Resistance Lab sent New York Commissioner Schroeder a letter warning that a mobile ID program “drastically changes what it means for New Yorkers to have a state-issued ID and exposes them to numerous risks.” The group said the program uses “largely untested technology” and has an “unprecedented data collection program.”

NYCLU raised concerns about the program’s use by law enforcement to track residents or access their mobile devices through a seizure. That is especially troubling for the state’s immigrant community, which spent years fighting to expand access to driver’s licenses in New York and now may be vulnerable to their mobile license being used by immigration authorities to find them.

[…]

Related articles:

State shifts mobile driver’s licenses into higher gearReal ID requirements temporarily waived for states’ mobile IDs

How government can build secure and frictionless digital identity programs

Topics:

Subject: Officials Query if Any Deaths Directly Linked to UK Hospital Hack
Source: Bloomberg via archive.today
https://archive.is/W4UXn#selection-1346.0-1346.1

[h/t Sabrina]

Hundreds of planned operations were delayed after the June 3 cyberattack. Officials are asking if this month’s UK hospital hack resulted in fatalities. But first…

The Cyber Angle – As the fallout from a cyberattack affecting hospitals in London enters its third week, doctors have been asked to report any deaths or other serious harms directly linked to the incident.

On June 3, a group of ransomware hackers compromised a lab services provider, Synnovis, and locked down the company’s systems, triggering major disruptions at hospitals and clinics in South East London. In the first week, doctors delayed 800 planned operations and 700 outpatient appointments and resorted to handwritten records, while a hospital solicited blood from its own clinical workers after the hack.

Subject: CDK Investigates Cyberattack That Halted Much of Its Systems for Hours
Source: Bloomberg via archive.today
https://archive.is/bzRN3#selection-1682.0-1695.250

[h/t Sabrina]

Thousands of car dealerships were ground to a halt during a normally busy holiday Wednesday by a cyber incident at CDK Global, a major software provider for dealers across the US. The company “shut all systems down and executed extensive testing and consulted with external third-party experts,” Tony Macrito, a CDK spokesman, said in an email. The company’s core product — a dealer management system — and its digital retailing solutions have been restored, and CDK is testing all other applications and will provide updates as it brings them back online, Macrito said.
CDK’s systems, which many car dealerships rely on to conduct nearly all of their normal business, first went down around 2 a.m. Eastern time, said Brad Holton, vice president of Proton, a cybersecurity firm that serves dealers and the auto industry.
Subject: Top news app caught sharing “entirely false” AI-generated news
Source: Ars Technica
https://arstechnica.com/tech-policy/2024/06/top-news-app-caught-sharing-fake-ai-news-based-on-ai-summaries/

After the most downloaded local news app in the US, NewsBreak, shared an AI-generated story about a fake New Jersey shooting last Christmas Eve, New Jersey police had to post a statement online to reassure troubled citizens that the story was “entirely false,” Reuters reported.”Nothing even similar to this story occurred on or around Christmas, or even in recent memory for the area they described,” the cops’ Facebook post said. “It seems this ‘news’ outlet’s AI writes fiction they have no problem publishing to readers.”It took NewsBreak—which attracts over 50 million monthly users—four days to remove the fake shooting story, and it apparently wasn’t an isolated incident. According to Reuters, NewsBreak’s AI tool, which scrapes the web and helps rewrite local news stories, has been used to publish at least 40 misleading or erroneous stories since 2021.These misleading AI news stories have caused real harm in communities, seven former NewsBreak employees, speaking anonymously due to confidentiality agreements, told Reuters.Sometimes, the AI gets the little details wrong. One Colorado food bank, Food to Power, had to turn people away after the app posted inaccurate food distribution times.Other times, the AI wholly fabricates events. A Pennsylvania charity, Harvest912, told Reuters that it had to turn homeless people away when NewsBreak falsely advertised a 24-hour foot-care clinic.”You are doing HARM by publishing this misinformation—homeless people will walk to these venues to attend a clinic that is not happening,” Harvest912 pleaded in an email requesting that NewsBreak take down the story.NewsBreak told Reuters that all the erroneous articles affecting those two charities were removed but also blamed the charities for supposedly posting inaccurate information on their websites.

“When NewsBreak identifies any inaccurate content or any violation of our community standards, we take prompt action to remove that content,” the company told Reuters.

NewsBreak told Reuters that “the inaccurate information” in the fake shooting story “originated from” a “content source,” as opposed to being hallucinated by AI.

The content source identified by NewsBreak is an article on a news site called FindPlace.xyz. It was written by a journalist named Amelia Washington, who has contributed most of the site’s most recent content. There is no public profile for Amelia Washington outside of the news site, and a reverse image search of the photo used with her bio suggests a stock photo was used. The same photo appeared on a testimonial for a nutritional supplement on Amazon and on posts for foreign freelance sites where her name and background do not match her FindPlace.xyz bio.

Filed: https://arstechnica.com/tech-policy/

Subject: The Best Free and Paid AI Document Summarizer Tools In 2024
Source: tech.co
https://tech.co/news/best-ai-summarizer-tools

[define “best” … not sure how they determined that or its accuracy of the tools … ] Let’s be honest, whether you’re a busy student or a full-time worker, finding time to read full bodies of text back-to-back isn’t always easy, especially if you have to go through multiple documents in one sitting.

Thankfully, by leveraging the power of generative artificial intelligence, AI summarizer tools can be used to condense documents, articles, research papers, and more into useful summaries – trimming down the fat for you so you have more time to focus on the content that matters.

With so many AI summarizers available, we rounded up some of our top picks and pointed out which are best for different use cases. We also cover their prices and whether they offer a free version, to help connect you to an AI platform in your budget. Read on to find out how the best AI summarizers compare against the competition, and to learn why the tools are emerging as one of the best time-saving hacks of 2024.

AI summarizer tools can be used to create concise rundowns of large bodies of text in seconds, making it easier for users to get the main highlights of news articles, business documents, research papers, and more, without spending half an afternoon doing so.

The Best AI Summarizer Tools in 2024 – AI summarizers have the potential to revolutionize the way you work. Take a look at our favorite platforms, and what their best suited to, below.

[…]

Tags

Subject: Biden administration bans Kaspersky software over Russian ties
Source: The Hill
https://thehill.com/policy/international/4732685-biden-administration-russian-kaspersky-software-ban/

The Biden administration is issuing a total ban on the use of Kaspersky Lab’s software over its ties to Russia.The company’s software has been a concern of the U.S. government since at least 2017 because of the Russian government’s alleged influence over the software. The Russian government has total access to Kaspersky systems and access to all its customer’s data, ABC News reported.

“Russia has shown it has the capacity, and even more than that, the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans,” Commerce Secretary Gina Raimondo said Thursday, the outlet reported.

[…]

Filed: https://thehill.com/policy/international/

LinkedIn
Posted in: AI, Communications, Cybercrime, Cybersecurity, Healthcare, Legal Research, Social Media