Pete Recommends – Weekly highlights on cyber security issues, July 20, 2024

Subject: White House urged to probe $1.5B G42-Microsoft AI deal
Source: The Register
https://www.theregister.com/2024/07/12/g42_uae_us_house/

Two House committee chairs have sent a public letter to the White House asking it to look into a deal between AI R&D outfit G42 and Microsoft. The missive [PDF] to National Security Adviser Jake Sullivan is authored by Reps Michael McCaul (R-TX) and John Moolenaar (R-MI), respectively the chairs of the House Foreign Affairs Committee and the House Committee on Strategic Competition with the Chinese Communist Party (CCP).

The two Republicans warn the Microsoft deal raises the risk of advanced American AI technology making its way to China via G42.

“This deal may be one of the most consequential investments by a US technology firm in the Middle East in decades,” the letter reads. “Should this deal proceed further, we must be clear eyed about the risks.”

Microsoft is a national security threat, says ex-White House cyber policy director
READ MORE

In April, Microsoft announced it would be pouring $1.5 billion into United Arab Emirates-based G42. The two House reps point out that UAE President Sheikh Mohamed bin Zayed Al Nahyan visited Beijing to deepen his country’s ties with the Middle Kingdom, specifically in relation to AI.

G42 also found itself under the microscope for its ties to China less than a year ago, after it emerged US intelligence feared China and G42 were a little too friendly. House Reps scrutinizing the CCP have had their eyes on G42, too, having written a letter to US Commerce Secretary Gina Raimondo in January raising concerns about the Middle-East operation.

More about

Subject: This is likely the biggest password leak ever: nearly 10 billion credentials exposed
Source: Mashable
https://mashable.com/article/rockyou2024-leaked-password-database

“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world,” writes Cybernews’ researchers. “Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks.”

As Cybernews researchers point out, this list may very well be the largest password leak ever, beating the previous record holder known as RockYou2021, which had around 8.4 billion passwords.

In fact, the hacker forum user “ObamaCare” claims they used that older list and updated it with newer password leak data from over the past three years. As a result, 1.5 billion more passwords have been added to the previous compilation to create RockYou2024.

Topics Cybersecurity

Subject: Google nears $23 billion acquisition of cybersecurity startup Wiz
Source: Android Headlines
https://www.androidheadlines.com/2024/07/google-nears-23-billion-acquisition-of-cybersecurity-startup-wiz.html

Google is reportedly closing in on its biggest acquisition ever. The tech titan is on the verge of buying cloud cybersecurity startup Wiz for around $23 billion, The Wall Street Journal reports. The talks have already progressed to an advanced stage, people familiar with the matter told the publication. The biggest Google acquisition so far is Motorola Mobility, which it bought for $12.5 billion in 2012 and sold for $2.91 billion in 2014.

Google is in advanced talks for a $23 billion acquisition of Wiz.

Founded in 2020 by four former Microsoft employees, Wiz is a New York-based cloud cybersecurity provider. It specializes in analyzing corporate cloud computing infrastructure for combinations of risk factors that could lead to security breaches. The startup uses data from Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Oracle Cloud, and other cloud platforms to identify potential risk factors.

The firm’s solutions allow companies to “rapidly identify and remove critical risks” and secure their cloud platforms. In August 2022, Wiz claimed to be the fastest startup to scale from $1 million to $100 million in annual recurring revenue  (ARR). It allegedly achieved the feat in around 18 months. The startup has raised $1.9 billion in various funding rounds in its lifetime. Of that, $1 billion came in Series E funding in April 2024.

The deal might face strict regulatory scrutiny and could even fall through.

Filed: https://www.androidheadlines.com/category/tech-news

Subject: How to Stay Safe From Third-Party Seller Scams
Source: NerdWallet
https://www.nerdwallet.com/article/finance/third-party-seller-scams

When shopping online, there’s more to consider than what to buy and how much to spend. If you plan to shop marketplaces such as Amazon, Etsy and Walmart that host third-party sellers, you’ll also want to watch out for scams.
Derrek Casebolt thought he was getting a steal when he bought a gaming controller and headphones bundle, normally priced around $170, for about $100 from a seller on the Walmart app. Soon after, Casebolt — who works for UPS in the Fresno, California, area — received a phony tracking number for the order and learned he’d been scammed. “I saw the number, and I was like, ‘That’s not right.’ I immediately knew.”
Casebolt then double-checked the order details and noticed the seller had used a name similar to that of a legitimate company, but the spelling was off. He tried to contact the seller unsuccessfully. “When I couldn’t get ahold of them, I immediately let Walmart know,” he says. “But they didn’t really give me any information. They just told me to go to my bank.” The bank that issued Casebolt’s credit card removed the charge.
According to a TransUnion study from the second quarter of 2024, among the 40% of consumers who said they were targeted by online, email, phone call or text message fraud, 18% said they were targeted in third-party seller scams on legitimate e-commerce websites.  Here’s how to stay safe from third-party seller scams when shopping Amazon Prime Day and other sales throughout the year.
Subject: The US Supreme Court Kneecapped US Cyber Strategy
Source: WIRED
https://www.wired.com/story/us-supreme-court-chevron-deference-cybersecurity-policy/ [h/t Sabrina]

President Joe Biden’s strategy relied on agencies interpreting the laws that give them regulatory powers to include cybersecurity, with the expectation that courts would defer to their interpretations of those laws under a decades-old legal doctrine known as Chevron deference.

But in a landmark case decided in late June, Loper Bright Enterprises v. Raimondo, the United States Supreme Court’s conservative supermajority eliminated Chevron deference and ordered courts to determine for themselves what ambiguous laws say—without assigning nearly as much weight to agencies’ interpretations.

Now, that controversial ruling could completely upend multiple agencies’ plans to require better cybersecurity from critical infrastructure entities like hospitals, water systems, and power plants. It could even help corporate America overturn existing rules aimed at keeping hackers off cloud platforms, securing pipelines and airports, and improving disclosures of major breaches.

“There’s the possibility of lawsuits to test the waters in a lot of regulations,” says Harley Geiger, counsel with the Center for Cybersecurity Policy and Law. “It definitely becomes much more difficult to regulate on critical infrastructure cybersecurity in areas where there is not sound or clear statutory backing.”

Landmark Cyber Program Under Threat – Biden’s marquee cyber regulation may also be his most endangered: a pending requirement for critical infrastructure organizations to report cyberattacks within 72 hours and ransomware payments within 24 hours.

All Eyes on Congress – The government’s cyber regulation push is likely to run headlong into a judicial morass. Federal judges could reach different conclusions about the same regulations, setting up appeals to regional circuit courts that have very different track records. “The judiciary itself is not a monolith,” says Geiger, of the Center for Cybersecurity Policy and Law. In addition, agencies understand cutting-edge tech issues much better than judges, who may struggle to parse the intricacies of cyber regulations.

There is only one real solution to this problem, according to experts: If Congress wants agencies to be able to mandate cyber improvements, it will have to pass new laws empowering them to do so.

Topics

cybersecurity
hacking
politics
National Affairs
Joe Biden
Regulation
national security
cyberattacks

Subject: OPA | DOJ Leads Efforts Among Federal, International, and Private Sector Partners to Disrupt Covert Russian Government-Operated Social Media Bot Farm
Source: US DOJ
https://www.justice.gov/opa/pr/justice-department-leads-efforts-among-federal-international-and-private-sector-partners

The Justice Department today announced the seizure of two domain names and the search of 968 social media accounts used by Russian actors to create an AI-enhanced social media bot farm that spread disinformation in the United States and abroad. The social media bot farm used elements of AI to create fictitious social media profiles — often purporting to belong to individuals in the United States — which the operators then used to promote messages in support of Russian government objectives, according to affidavits unsealed today.In conjunction with the domain seizures and search warrant announced today, the FBI and the Cyber National Mission Force (CNMF), in partnership with Canadian Centre for Cyber Security (CCCS), the Netherlands General Intelligence and Security Service (AIVD), Netherlands Military Intelligence and Security Service (MIVD), and Netherlands Police released a joint cybersecurity advisory detailing the technology behind the social media bot farm, including details regarding how the bot farm’s creators leveraged their bespoke AI system in furtherance of the scheme. The advisory will allow social media platforms and researchers to identify and prevent the Russian government’s further use of the technology. In addition, X Corp. (formerly, Twitter) voluntarily suspended the remaining bot accounts identified in the court documents for terms of service violations.


Topics
Cybercrime

National Security

Components
Office of the Attorney General
Criminal – Office of International Affairs
Federal Bureau of Investigation (FBI)
National Security Division (NSD)
Office of the Deputy Attorney General
USAO – Arizona
USAO – Illinois, Northern

Press Release Number: 24-850

Subject: Meta won’t release advanced AI in the EU due to stronger user data protections
Source: UPI.com
https://www.upi.com/Top_News/World-News/2024/07/18/EU-Meta-AI-data-regulations/6241721316082/

July 18 (UPI) — Meta said Thursday it won’t release Llama, its most advanced artificial intelligence model, in the European Union due to concerns over stronger EU privacy protections and AI regulations.”We will release a multimodal Llama model over the coming months, but not in the EU due to the unpredictable nature of the European regulatory environment,” Meta said in a statement to Axios.

As a result, European companies won’t be able to use the multimodal AI models and Meta potentially could also prevent companies outside of the EU from offering services that use the systems to European customers.

While that would limit AI products available to individuals in the EU, the data privacy laws in Europe also extend greater protections to users than in other parts of the world.

Meta has been ordered to stop training AI using Facebook and Instagram user posts in the EU due to privacy concerns.

Under that law AI providers in the EU must “establish a risk management system throughout the AI systems lifecycle and conduct data governance making sure AI training, validation and testing datasets are relevant, sufficiently representative and, to the best extent possible, free of errors and complete according to the intended purpose.”

On July 1, the European Commission said Meta had violated the Digital Markets Act and potentially could face massive fines because Meta doesn’t allow users to exercise their right to freely consent to use of their data.

Filed: https://www.upi.com/Top_News/World-News/

Subject: Biden briefed on CrowdStrike IT outage as multiple federal systems impacted
Source: Nextgov/FCW
https://www.nextgov.com/cybersecurity/2024/07/biden-briefed-crowdstrike-it-outage-multiple-federal-systems-impacted/398182/

Social Security offices are closed for the day due to the incident. Hackers may be leveraging news to push sham security patches out to affected customers, cybersecurity training company says.

The incident has led the Social Security Administration offices to close for the day, the agency said in an update. Identity verification services provided by the Login platform are experiencing outages in multiple states, according to an incident report. The Federal Communications Commission also said some 911 services have been disrupted.

The Cybersecurity and Infrastructure Security Agency is “working with CrowdStrike, Microsoft and our federal, state, local and critical infrastructure partners to fully assess and address system outages,” DHS said in a post on the X platform. A spokesperson for the federal Chief Information Officer did not immediately respond to a request for comment.

CISA itself is affected, according to an analyst who spoke on the condition of anonymity because they were not permitted to provide updates on the internal status of agency systems.

An ongoing mystery surrounding the outage is how deeply embedded CrowdStrike’s systems are within the Windows operating systems affected in the incident. Third party cybersecurity products like those offered by CrowdStrike are often bolted onto the core operating platforms of the devices they service in order to get a comprehensive view of potential cyber threats that seek to sabotage devices.

Filed: https://www.nextgov.com/cybersecurity/

To protect America’s vital infrastructure from hackers without relying on a moribund Congress, the Biden administration bet big on creative uses of existing laws. But the Supreme Court probably blew up that approach.

LinkedIn
Posted in: AI, Congress, Cybersecurity, Legal Research, Privacy, Social Media, United States Law