Pete Recommends – Weekly highlights on cyber security issues, March 23, 2024

Subject: 988 currently doesn’t use geolocation services. Counties want to change that.
Source: Route Fifty
https://www.route-fifty.com/management/2024/03/988-currently-doesnt-use-geolocation-services-counties-want-change/394964/

Federal agencies are working with the nation’s major wireless carriers to resolve an issue with the 988 Suicide and Crisis Lifeline that can lead to those seeking help being sent to call centers thousands of miles away from where they actually are. The issue is over how callers to 988 are being routed to counselors.
Currently, people dialing into the hotline are sent to a call center based on their area code, not on where they are physically calling from. The Substance Abuse and Mental Health Services Administration, or SAMHSA, has been working with the Federal Communications Commission and cellphone carriers like Verizon to test routing calls based on where a person in crisis is generally located. To protect their privacy, their exact location is not being given to call centers.

Subject: FDA Roundup — AI
Source: FDA.gov
https://www.fda.gov/news-events/press-announcements/fda-roundup-march-15-2024

For Immediate Release:
  • Today, the FDA published its new paper, “Artificial Intelligence and Medical Products: How CBER, CDER, CDRH, and OCP are Working Together,” which outlines specific focus areas regarding the development and use of AI across the medical product lifecycle. The paper helps further align and streamline the agency’s work in AI. Read more about the agency’s AI initiatives on our website.
  • Today, the FDA published the “Catching Up with Califf: Harnessing the Potential of Artificial Intelligence,” by Robert M. Califf, M.D., Commissioner of Food and Drugs. The Commissioner discusses how the agency has been working for years to anticipate and prepare for the challenges of Artificial Intelligence (AI), and also to harness its potential. Since 1995, the FDA has received over 300 submissions for drugs and biological products with AI components, and more than 700 submissions for AI-enabled devices. The agency is also exploring the use of AI technologies to facilitate internal operations and regulatory processes.

Subject: Hackers Using Cracked Software on GitHub to Spread RisePro Info Stealer
Source:  The Hacker News
https://thehackernews.com/2024/03/hackers-using-cracked-software-on.html

Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro.The campaign, codenamed gitgub, includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary.

“The repositories look similar, featuring a README.md file with the promise of free cracked software,” the German cybersecurity company said.

“Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency.”

The list of repositories is as follows, with each of them pointing to a download link (“digitalxnetwork[.]com”) containing a RAR archive file…

“The current rise of information-stealing malware is a stark reminder of constantly evolving digital threats,” Flashpoint noted in January 2024. “While the motivations behind its use is almost always rooted in financial gain, stealers are continually adapting while being more accessible and easier to use.”


Subject: FTC probing Reddit plan to let AI firms use user-generated content to train software
Source: The Hill
https://thehill.com/business/4536527-ftc-probe-reddit-plan-ai-firms-use-user-content-train-software/

The Federal Trade Commission (FTC) is probing Reddit’s plan to let artificial intelligence (AI) firms utilize user-generated content to train their software, according to the social media company’s Securities and Exchange Commission (SEC) filing Friday.The inquiry comes just days before Reddit is slated to complete its initial public offering, after filing for it last month.


Subject: Data arms dealing: Why Biden’s executive order on ‘countries of concern’ misses the mark
Source: The Hill [Opinion] – Jonathan Joseph is a board member The Ethical Tech Project.
https://thehill.com/opinion/technology/4535158-data-arms-dealing-why-bidens-executive-order-on-countries-of-concern-misses-the-mark/

By targeting the flow of personal information to U.S. adversaries — including China and Russia — this executive order makes it super clear (in case it wasn’t already) how valuable and prone to mischief our personal data is. By preventing our most personal data, such as where we go, how we feel, and intimate details buried in our health records, from falling into the hands of potentially hostile states, President Biden hopes to reduce the potential for blackmail, scams and national security leaks.

While this move should be welcomed as a step toward safeguarding personal information from external threats, it stops short of addressing the numerous ways in which sensitive data is routinely commodified and mishandled domestically. And that’s to say nothing of what happens to our personal data when it crosses the borders to the hundreds of other nations not designated “countries of concern.”

The weaponization of data — and the practice of what could be described as “data arms dealing” — represents a much broader and pervasive issue. There are far bigger threats than those addressed by the executive order address.

Tags
Data privacy
National security NB “collect” is only mentioned once

Subject: The government agency scammers spoof most seems so innocent
Source: NEXSTAR via The Hill
https://thehill.com/homenews/nexstar_media_wire/4526896-the-government-agency-scammers-spoof-most-seems-so-innocent/

(NEXSTAR) – The organization that dupes people into handing over their money and personal information isn’t a fake IRS or imposter Social Security Administration. It isn’t a private company either – though one recent Amazon scam did trick a financial advice columnist into handing over $50,000 in a shoe box.More than any other organization, scammers find success impersonating the U.S. Postal Service, according to a report released by the Better Business Bureau.

How do these scams work? The majority are phishing schemes, sent by text or email, explains Melanie McGovern, director of public relations for BBB. One example reads: “The USPS package has arrived at the warehouse and cannot be delivered due to incomplete address information. Please confirm your address in the link within 12 hours.”

The top 10 impersonated organizations in 2023, according to the BBB, were:

  1. U.S. Postal Service
  2. Amazon
  3. Publishers Clearing House
  4. Geek Squad
  5. Norton
  6. PayPal
  7. Microsoft
  8. Walmart
  9. Facebook
  10. McAfee

Subject: Why you should stop using SMS
Source: Proton Blog
https://proton.me/blog/stop-using-sms [end of article is infomercial ]

Published on March 30, 2022

Short Message Service (SMS), also known simply as text messaging, has been with us since the birth of mobile phones (the first-ever text message was sent over the Vodafone network(new window) in 1992).

SMS is supported by almost every mobile network provider in the world, with over two trillion(new window) SMS messages being sent during 2020 in the United States alone. Indeed, the United States remains a bastion of SMS use(new window), bucking the growing trend in other countries to use internet-based alternatives such as WhatsApp and Telegram.The big advantage of SMS is that it is universal — it’s on everyone’s phones, allowing you to text anyone, regardless of whether they use an iPhone or an Android phone, or whether they use one of many competing third-party messaging apps.

However, unlike encrypted email, SMS was developed before the necessity of ensuring communications are secure and private was even considered. The result is that SMS messages are an open book, easily read by your mobile service provider, your government, and criminal hackers.

This is made all the scarier by the fact that two-factor authentication (2FA)(new window) codes are routinely sent via SMS.


Subject: Optery just published a blog … about OneRep.com
Source: Brian Krebs Mastodon
https://newsie.social/@[email protected]/112117208793513617

Optery just published a blog post corroborating some of my reporting last week about OneRep.com, a personal data removal firm whose CEO apparently founded dozens of people-search firms. krebsonsecurity.com/2024/03/ce

They point to several instances where bits of this connection were made and published by others online over the years, but those folks were then hit with Cease & Desist letters or copyright claims from OneRep. In one blog post I cited in the story from PrivacyDuck.com, the owner of the domain died and the domain was grabbed by speculators.


Subject: Serious New Warning As Google AI Targets Billions Of Private Messages
Source: Forbes
https://www.forbes.com/sites/zakdoffman/2024/01/28/new-details-free-ai-upgrade-for-google-and-samsung-android-users-leaks/

Researchers have just unveiled a pre-release, game-changing AI upgrade for Google Messages. But it’s one with a serious privacy risk—it seems that Bard may ask to read and analyze your private message history. So how might this work, how do you maintain your privacy, and when might this begin.Google’s AI to begin analyzing private messages on Android smartphones.

And so here comes the next privacy battlefield for smartphone owners still coming to terms with app permissions, privacy labels and tracking transparency, and with all those voice AI assistant eavesdropping scandals still fresh in the memory. Google’s challenge will be convincing users that this doesn’t open the door to the same kind of privacy nightmares we’ve seen before, where user content and AI platforms meet.

Bard’s chat says the same. “While Google assures on-device analysis,” it says, “any data accessed by Bard is technically collected, even temporarily. Concerns arise about potential leaks, misuse, or hidden data sharing practices. The extent of Bard’s analysis and how it uses your data should be transparent. Users deserve granular control over what data is analyzed, for what purposes, and how long it’s stored.”

The analysis of your message history isn’t the only privacy debate here. Google’s deployment of Bard is just part of the shift from browser-based to directed search, and you will need to be increasingly cautious as to the quality of the results you’re being given. Bard isn’t a chat with a friend. It’s a UI sitting across the world’s most powerful and valuable advertising and tracking machine.

On which note, Bard’s chat left me a final thought that might be better directed at its creators than its users: “Remember, you have the right to demand clarity, control, and responsible AI development from the companies you trust with your data.”


Subject: Improvements to information sharing between U.S. Intelligence Community, private companies introduced in Congress
Source: Homeland Preparedness News
https://homelandprepnews.com/stories/81823-improvements-to-information-sharing-between-u-s-intelligence-community-private-companies-introduced-in-congress/<

Several Democrat and Republican lawmakers from both chambers of Congress recently introduced the Enhancing Public-Private Sharing on Manipulative Adversary Practices in Critical Minerals Projects Act to increase the information sharing relationship between private companies and the U.S. Intelligence Community (IC). While Congress is considering banning TikTok for reportedly doing similar things with China, lawmakers from both parties introduced this legislation to require the Director of National Intelligence (DNI) to develop a strategy for improving the sharing of information and intelligence on foreign adversaries’ tactics and activities to spread disinformation, steal intellectual property or pursue other illegal efforts against U.S. interests abroad. Specifically, though, this would apply to U.S. companies in foreign jurisdictions on projects relating to energy generation and storage. …


Subject: U.S. announces expanded international effort to fight misuse of commercial spyware
Source: UPI.com
https://www.upi.com/Top_News/World-News/2024/03/18/commercial-spyware-coalition-Pegasus/3401710760346/

March 18 (UPI) — The White House said on Monday that six countries have joined an international effort to counter the spread and misuse of commercial spyware mostly used by authoritarian regimes to control and restrict their political opponents and others.Finland, Germany, Ireland, Japan, Poland and South Korea all joined the commitment to work together to reel in bad actors using the technology. They join the United States, Australia, Britain, Canada Costa Rica, Denmark, France, Ireland, New Zealand, Norway, Sweden and Switzerland.

Filed: https://www.upi.com/Top_News/World-News/


Subject: Data brokers admit they’re selling information on precise location, kids, and reproductive healthcare
Source: Malwarebytes
https://www.malwarebytes.com/blog/news/2024/03/data-brokers-admit-theyre-selling-information-on-precise-location-kids-and-reproductive-healthcare

[an infomercial at end …] Information newly made available under California law has shed light on data broker practices, including exactly what categories of information they trade in.

Any business that meets the definition of data broker must register with the California Privacy Protection Agency (CPPA) annually. The CPPA defines data brokers as businesses that consumers don’t directly interact with, but that buy and sell information about consumers from and to other businesses.

Where there’s money to be made you’ll find companies and individuals that will go to any length to get a piece of the action. At the moment there are around 480 data brokers registered with the CPPA. However, that might be just the tip of the iceberg, because there are a host of smaller players active that try to keep a low profile. There are 70 fewer data brokers listed than last year, but it is questionable whether they went out of business or just couldn’t be bothered with all the regulations tied to being a listed data broker.

The law requires registered data brokers to disclose in which of the following categories they actively trade information in:

  • Minors (24)
  • Precise Geolocation (79)
  • Reproductive healthcare data (25)

Subject: Avoid high cyber insurance costs by improving Active Directory security
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/avoid-high-cyber-insurance-costs-by-improving-active-directory-security/ [Sponsored by Specops Software ]

Organizations are investing more than ever to protect themselves from the looming threat of cybercrime. Insurance broker and risk advisor Marsh revealed that US cyber insurance premiums rose by an average of 11% in the first quarter of 2023, and Delinea reported that 67% of survey respondents said their cyber insurance costs increased between 50% and 100% in 2023. With the cost of premiums rising, the survey says it is becoming more difficult for companies to qualify for and obtain cyber insurance, CISOs and IT leaders are looking for ways to make their organizations more secure in the eyes of insurers.

Reinforcing Active Directory security is one way to protect an organization’s critical infrastructure and manage or even potentially reduce the costs of cyber insurance.

Why are cyber insurance rates rising?Numerous factors contribute to the rising cost of cyber insurance premiums. As the impacts of cybercrime grow and evolve, cyber insurers will continue to raise their rates to provide coverage.


Related Articles:


Subject: From Deepfakes to Malware: AI’s Expanding Role in Cyber Attacks
Source: The Hacker News
https://thehackernews.com/2024/03/from-deepfakes-to-malware-ais-expanding.html

Large language models (LLMs) powering artificial intelligence (AI) tools today could be exploited to develop self-augmenting malware capable of bypassing YARA rules.”Generative AI can be used to evade string-based YARA rules by augmenting the source code of small malware variants, effectively lowering detection rates,” Recorded Future said in a new report shared with The Hacker News.

The findings are part of a red teaming exercise designed to uncover malicious use cases for AI technologies, which are already being experimented with by threat actors to create malware code snippets, generate phishing emails, and conduct reconnaissance on potential targets.

Besides modifying malware to fly under the radar, such AI tools could be used to create deepfakes impersonating senior executives and leaders and conduct influence operations that mimic legitimate websites at scale.

Furthermore, generative AI is expected to expedite threat actors’ ability to carry out reconnaissance of critical infrastructure facilities and glean information that could be of strategic use in follow-on attacks.

Indeed, Microsoft and OpenAI warned last month that APT28 used LLMs to “understand satellite communication protocols, radar imaging technologies, and specific technical parameters,” indicating efforts to “acquire in-depth knowledge of satellite capabilities.”

The development comes as a group of academics have found that it’s possible to jailbreak LLM-powered tools and produce harmful content by passing inputs in the form of ASCII art (e.g., “how to build a bomb,” where the word BOMB is written using characters “*” and spaces).

The practical attack, dubbed ArtPrompt, weaponizes “the poor performance of LLMs in recognizing ASCII art to bypass safety measures and elicit undesired behaviors from LLMs.”


Subject: FTC warns scammers are impersonating its employees to steal money
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/ftc-warns-scammers-are-impersonating-its-employees-to-steal-money/

The U.S. Federal Trade Commission (FTC) warned today that scammers are impersonating its employees to steal thousands of dollars from Americans.FTC staff has received numerous reports from consumers who have fallen victim to scams in which fraudsters exploited the identities of agency personnel to coerce them via phone calls, email, or text messages into transferring or wiring money.

The median financial loss attributed to these FTC impersonation schemes has surged during the last five years, from $3,000 in 2019 to $7,000 in 2024.

Last year alone, the FBI’s Internet Crime Complaint Center (IC3) received [PDF] over 14,000 government impersonation complaints, mostly from the elderly. These complaints led to losses of more than $394 million, a 63% increase compared to 2022.

In response, the agency has released guidelines aimed at helping identify such fraudulent activities, urging U.S. consumers to report any FTC impersonation scams via ReportFraud.ftc.gov in English or ReporteFraude.ftc.gov in Spanish.

How to defend against scammers – In January, when it warned of tech support and government impersonation scammers using courier services to collect money, the FBI shared the following tips to reduce the risk of falling victim to similar fraud attempts…

Tagged:


Subject: AI and the Evolution of Social Media
Source: Schneier on Security
https://www.schneier.com/blog/archives/2024/03/ai-and-the-evolution-of-social-media.html

In particular, five fundamental attributes of social media have harmed society. AI also has those attributes. Note that they are not intrinsically evil. They are all double-edged swords, with the potential to do either good or ill. The danger comes from who wields the sword, and in what direction it is swung. This has been true for social media, and it will similarly hold true for AI. In both cases, the solution lies in limits on the technology’s use.


Subject: US Warns of Cyberattacks Against Water Systems Throughout Nation
Source: Bloomberg
https://archive.is/4gByN

[h/t Sabrina – with unpaywalled link]

  • Letter cites threats from hackers linked to Iran, China
  • EPA is lead federal agency to ensure water sector’s resilience

The Biden administration is warning states to be on guard for cyberattacks against water systems, citing ongoing threats from hackers linked to the governments of Iran and China. “Disabling cyberattacks are striking water and wastewater systems throughout the US,” Environmental Protection Agency Administrator Michael Regan and National Security Advisor Jake Sullivan wrote in a letter to governors made public Tuesday. “These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities.”

Read More: Iranian-Linked Hacks Expose Failure to Safeguard US Water System

Filed: Technology — https://archive.is/Vhn1V


Subject: The Feds Can Film Your Front Porch for 68 Days Without a Warrant, Says Court
Source: Gizmodo
https://gizmodo.com/feds-can-film-your-front-porch-without-warrant-1851352414

A federal court says your privacy is diminished due to the proliferation of video cameras throughout society.Law enforcement in Kansas recorded the front of a man’s home for 68 days straight, 15 hours a day, and obtained evidence to prove him guilty on 16 charges. The officers did not have a search warrant, using a camera on a pole positioned across the street to capture Bruce Hay’s home. A federal court ruled on Tuesday that it was fine for law enforcement to do so, in what’s potentially a major reduction in privacy law.

Hay, an Army veteran, was found guilty of lying about his disability status to collect benefits from the Department of Veteran Affairs (VA). However, the concerning part of this case stems from how VA officers collected evidence against Hay. The veteran appealed his case, arguing that the months-long surveillance of his home crossed a line. However, the federal court ruled that law enforcement can videotape the outside of your home, partially because of how prominent video cameras have become in society.

[how high can the camera be? how about a drone surveillance? when does the 68-day clock restart?]


Subject: House advances bill empowering FTC to punish data transfers to foreign rivals
Source: Nextgov/FCW
https://www.nextgov.com/cybersecurity/2024/03/house-advances-bill-empowering-ftc-punish-data-transfers-foreign-rivals/395103/

The unanimously approved legislation would give the FTC more enforcement power over data transfers to nations like China and Russia.The House on Wednesday unanimously approved a measure that would penalize data brokers who enable the transfer of Americans’ sensitive data to foreign rivals like China.

The Protecting Americans’ Data from Foreign Adversaries Act advanced out of the lower chamber in a 414-0 vote Wednesday. It was introduced in early March by House Energy and Commerce Committee leaders Cathy McMorris Rodgers, R-Wash. and Frank Pallone, Jr., D-N.J. following a recent executive order signed by President Joe Biden that gives multiple agencies enhanced legal power to prevent similar data transfers from going to foreign adversaries.

The bill would give the Federal Trade Commission the authority to seek civil penalties of at least $50,000 when a data broker sells information to foreign adversaries or entities controlled by those foreign adversaries, which include China, Iran, Russia and North Korea, as defined by acquisition restrictions in U.S. code. That list notably excludes Cuba and Venezuela, which were mentioned in the Biden directive.

Covered data under the bill includes genetic info, biometrics, financial accounts and health records, similar to the categories listed in the White House order. But the executive order differs in that it does not list the FTC as an enforcement agency, instead putting the onus on the departments of Justice, Homeland Security, Health and Human Services and others to craft the measures necessary to enforce it.

Topics:

Filed: https://www.nextgov.com/cybersecurity/


Subject: CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques
Source: CISA
https://www.cisa.gov/news-events/alerts/2024/03/21/cisa-fbi-and-ms-isac-release-update-joint-guidance-distributed-denial-service-techniques

Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of DDoS techniques:

  • Volumetric, attacks aiming to consume available bandwidth.
  • Protocol, attacks which exploit vulnerabilities in network protocols.
  • Application, attacks targeting vulnerabilities in specific applications or running services.

Filed: https://www.cisa.gov/news-events/cybersecurity-advisories


Subject: DOJ sues Apple in antitrust case, says it has illegal monopoly over smartphones
Source: AP News
https://apnews.com/article/apple-antitrust-monopoly-app-store-justice-department-822d7e8f5cf53a2636795fcc33ee1fc3

WASHINGTON (AP) — The Justice Department on Thursday announced a sweeping antitrust lawsuit against Apple, accusing the tech giant of engineering an illegal monopoly in smartphones that boxes out competitors, stifles innovation and keeps prices artificially high.The lawsuit, filed in federal court in New Jersey, alleges that Apple has monopoly power in the smartphone market and leverages control over the iPhone to “engage in a broad, sustained, and illegal course of conduct.”

“Apple has locked its consumers into the iPhone while locking its competitors out of the market,” said Deputy Attorney General Lisa Monaco. Stalling the advancement of the very market it revolutionized, she said, it has “smothered an entire industry.”

Apple called the lawsuit “wrong on the facts and the law” and said it “will vigorously defend against it.”


Subject: How to Figure Out What Your Car Knows About You
Source: EFF
https://www.bespacific.com/how-to-figure-out-what-your-car-knows-about-you/

EFF – (and Opt Out of Sharing When You Can):

“Cars collect a lot of our personal data, and car companies disclose a lot of that data to third parties. It’s often unclear what’s being collected, and what’s being shared and with whom. A recent New York Times article highlighted how data is shared by G.M. with insurance companies, sometimes without clear knowledge from the driver. If you’re curious about what your car knows about you, you might be able to find out. In some cases, you may even be able to opt out of some of that sharing of data…

Subject: Transportation Department launching probe of major airlines’ privacy policies
Source: UPI.com
https://www.upi.com/Top_News/US/2024/03/21/airline-passenger-privacy-policies/8711711022304/

March 21 (UPI) – The Department of Transportation said it is reviewing its privacy policies at the country’s 10 largest airlines to make sure passenger information is not being deceptively sold or shared with third parties.While a statement by the department did not mention a specific incident that sparked the review, Transportation Secretary Pete Buttigieg the agency will be looking for “evidence of problematic practices” that expose the personal information of passengers.

The review includes the carriers Allegiant, Alaska, American, Delta, Frontier, Hawaiian, JetBlue, Southwest, Spirit and United. “Airline passengers should have confidence that their personal information is not being shared improperly with third parties or mishandled by employees,” Buttigieg said in a statement.


Subject: X Continues to Break as Fraudsters Use Deceptive Links to Scam You
Source: Gizmodo
https://gizmodo.com/x-twitter-break-fraudsters-deceptive-links-to-scam-you-1851358463

Elon Musk’s social media platform is sending users to different websites than what they were expecting.Links have always been an important part of Twitter’s ecosystem. But lately, links on X are sending people to different sites than what they’re clicking. A verified account on X recently posted a link to a legitimate Forbes article that took users to a Telegram account promoting a crypto scam.

This example, caught by security researcher Will Dormann this week, shows a link preview to “Forbes.com.” However, when you click the link, it takes you to “Crypto with Harry,” a Telegram account promoting how it helps users earn “maximum profit.” The scam appeared to Dormann as an X advertisement coming from a verified account, and the post is still live today with roughly 1.1 million views.

X is failing to show users the immediate destination a link will send them, according to Bleeping Computer. Scammers can embed multiple destinations into their links, and design them so bots and automated accounts will skip over the “crypto link” and go straight to the Forbes article. However, actual users are all getting sent to the crypto scam.

Posted in: AI, Big Data, Business Research, Cybercrime, Cybersecurity, Financial System, Government Resources, Healthcare, Medical Research, Privacy, Social Media