Pete Recommends – Weekly highlights on cyber security issues, November 16, 2024

Subject: Warning: Hackers could take over your email account by stealing cookies, even if you have MFA
Source: Malwarebytes
https://www.malwarebytes.com/blog/news/2024/11/warning-hackers-could-take-over-your-email-account-by-stealing-cookies-even-if-you-have-mfa

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are taking over email accounts via stolen session cookies, allowing them to bypass the multi-factor authentication (MFA) a user has set up.

Here’s how it works. Most of us don’t think twice about checking the “Remember me” box when we log in. When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID. This session ID is stored in a session cookie (or a “Remember-Me cookie” as the FBI calls it) on your browser, which is typically valid for 30 days.

Every time you return to that website within the time frame, you don’t need to log in. That’s really convenient… unless someone manages to steal that cookie from your system.

If someone steals the session cookie, they can log in as you—even if you have MFA enabled.

This is particularly relevant for email handlers that have an online—webmail—component. This includes major players like Gmail, Outlook, Yahoo, and AOL.

With access to your email account, a cybercriminal can find a lot of useful information about you, such as where you bank, your account numbers, your favorite shops, and more. This information could then be used for targeted cyberattacks that mention information that’s relevant to you only, leaving you more likely to fall for them.

Cybercriminals could use your account to spread spam and phishing emails to your contacts. And perhaps most worrying of all, once an attacker is in your email account they can reset your passwords to your other accounts and login as you there too.

How do these criminals get their hands on your session cookies? There are several ways. On very rare occasions, session cookies can be stolen by you visiting a malicious website, or via a Machine-in-the-Middle (MitM) attack where a cybercriminal can intercept traffic and steal cookies if they’re not protected by HTTPS on an unsecured network.

However, session cookies are usually stolen by malware on the your device. Modern information-stealing malware is capable of, and even focuses on, stealing session cookies as part of its activity.

How to keep your email account safe…

Filed in Blog Category: https://www.malwarebytes.com/blog/category/threats


Subject: The Real Problem With Banning Masks at Protests
Source: WIRED
https://www.wired.com/story/the-real-problem-with-banning-masks-at-protests/

This article was published in partnership with The Marshall Project, a nonprofit news organization covering the US criminal justice system.

Privacy advocates worry banning masks at protests will encourage harassment, while cops’ high-tech tools render the rules unnecessary.

While today’s activists have more reliable communication tools than did Revolutionary War–era agitators, the Boston Tea Party’s ringleaders didn’t have to contend with surveillance technology, like Stingrays that impersonate cell phone towers to track nearby cell phones en masse, geofence warrants that let law enforcement request location data from companies about all the devices in a certain area (often without a warrant), professional social media monitoring firms that maintain scores of clandestine accounts to surveil activists, networks of automated license plate reading cameras that can track protesters’ vehicles, and even gait analysis technologies that can identify someone based on how they walk.

Thirteen states have some law on the books permitting lawsuits over doxxing.

The Council on American-Islamic Relations (CAIR), an advocacy organization for Muslim civil liberties in America, says that doxxing is on the rise. “For decades now, American Muslims have been a testing ground for intrusive surveillance and other policies that I think many Americans would object to, were they the initial target of it,” said Corey Saylor, CAIR’s research and advocacy director. “These things are tested against disliked populations, but then applied to the general population as a whole.”

Even while wearing a mask in public, there’s so much information people leave on the internet making them identifiable. “You don’t need their face. You just need a really unreliable relative who loves posting all the time,” Sotakoun said. “I think people think the end-all-be-all is if people cover their face, they’ll never be found, but they don’t realize … [that if they] said, ‘Hey, I’m celebrating at the Cheesecake Factory. Here we are on December 3, 2019.’ You willingly gave that up.”

“There are lots of different tools that are available to law enforcement. Facial recognition is one of those tools that it’s about expediency,” said Nicole Napolitano, director of research at the Center for Policing Equity. But it’s not without its pitfalls. Like PimEyes, tools like Clearview AI can make mistakes and incorrectly identify people, leading to erroneous arrests. “Police have become increasingly reliant on and then biased by what the model tells them,” said Napolitano.

“There’s no constitutional right to cover your face in public,” charged Meyers, the Manhattan Institute’s policing director.

Check out a full breakdown of the surveillance technology that can be used to monitor protesters here.

Filed: https://www.wired.com/category/security


Subject: FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/fbi-cisa-and-nsa-reveal-most-exploited-vulnerabilities-of-2023/

​The FBI, the NSA, and cybersecurity authorities of the Five Eyes intelligence alliance have released today a list of the top 15 routinely exploited vulnerabilities throughout last year.A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks’ exposure to potential attacks.

“In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets,” the cybersecurity agencies warned.

“In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.”

As they also revealed, 12 out of the top 15 vulnerabilities routinely abused in the wild were addressed last year, lining up with the agencies warning that threat actors focused their attacks on zero-days (security flaws that have been disclosed but are yet to be patched).

Here is the complete list of last year’s most exploited vulnerabilities and relevant links to the National Vulnerability Database entries.

Filed: https://www.bleepingcomputer.com/news/security/


Subject: Meta AI can now be used by the US military for national security
Source: The Verge
https://www.theverge.com/2024/11/4/24287951/meta-ai-llama-war-us-government-national-security

Meta will now allow US government agencies and contractors to use its open-source Llama AI model for “national security applications.” In an announcement on Monday, the company said it’s working with Amazon, Microsoft, IBM, Lockheed Martin, Oracle, and others to make Llama available to the government.

Under Meta’s “acceptable use policy,” people can’t use the latest Llama 3 model for “military, warfare, nuclear industries or applications, espionage.” However, as explained by Meta, this update opens the door for the US military to use Llama to do things like “streamline complicated logistics and planning, track terrorist financing or strengthen our cyber defenses.”…

Filed: https://www.theverge.com/ai-artificial-intelligence


Subject: Some of Substack’s Biggest Newsletters Rely on AI Writing Tools
Source: WIRED
https://www.bespacific.com/some-of-substacks-biggest-newsletters-rely-on-ai-writing-tools/

Wired – unpaywalled: “The most popular writers on Substack earn up to seven figures each year primarily by persuading readers to pay for their work. The newsletter platform’s subscription-driven business model offers creators different incentives than platforms like Facebook or YouTube, where traffic and engagement are king. In theory, that should help shield Substack from the wave of click-courting AI content that’s flooding the internet. But a new analysis shared exclusively with WIRED indicates that Substack hosts plenty of AI-generated writing, some of which is published in newsletters with hundreds of thousands of subscribers. The AI-detection startup GPTZero scanned 25 to 30 recent posts published by the 100 most popular newsletters on Substack to see whether they contained AI-generated content. It estimated that…

Many of the newsletters GPTZero flagged as publishing AI-generated writing focus on sharing investment news and personal finance advice. While no AI-detection service is perfect—many, including GPTZero, can produce false positives—the analysis suggests that hundreds of thousands of people are now regularly consuming AI-generated or AI-assisted content that they are specifically subscribing to read. In some cases, they’re even paying for it…”

Abstracted from beSpacific
Copyright © 2024 beSpacific, All rights reserved.


Subject: US regulator could impose bank-like state supervision regime on Google
Source: Android Headlines
https://www.androidheadlines.com/2024/11/us-regulator-could-impose-bank-like-state-supervision-regime-on-google.html

Among its vast portfolio of products and services, Google offers Wallet. Google Wallet’s functionality has expanded over time, but its main goal has always been to make digital payments simple. Perhaps due to this, a recent report suggests that the US CFPB regulator is considering imposing state supervision regime on Google. This might represent a new obstacle beyond the lawsuits filed by the DOJ.The type of supervision that the agency reportedly wants to impose on Google normally applies to banking institutions. It implies that organizations must follow a set of strict rules and protocols that go beyond the regulations applied to tech companies. The CFPB (Consumer Financial Protection Bureau) was created in 2008 to protect consumers from potentially harmful practices in the face of the financial crisis.

A US regulator wants to impose a government supervision regime on Google. The CFPB’s specific motivation for imposing the government supervision regime on the Mountain View giant remains unknown. However, …

Filed: https://www.androidheadlines.com/category/google-news


Subject: Federal CIO focused on cyber, smooth transition in months ahead
Source: FedScoop
https://fedscoop.com/federal-cio-focused-on-cyber-smooth-transition-in-months-ahead/

As the White House gets ready to “pass the baton” to the incoming Trump administration, Federal CIO Clare Martorana said she is focused on cybersecurity issues and making sure her team does everything it can for their replacements to be set up for success.Over the remaining two months of the Biden administration, Martorana said in an interview with FedScoop on the sidelines of the ACT-IAC CX Summit on Friday that cyber is her top area of focus because “you need security, engineering, [and] competencies when you are contemplating the problem set in the solution you’re trying to design.”

Martorana said the nation’s data are its “crown jewels,” and she’s especially mindful about protecting health care and social security data. Before her departure, Martorana said she wants to make sure that cybersecurity is not a “bolt-on thing at the end” but instead is a core component of product development for American citizens.

Martorana has been vocal about the need for investments in cybersecurity, specifically with zero-trust implementation efforts across the federal landscape. During a panel at the Billington Cybersecurity Summit in Washington, D.C. in September, she emphasized the need to constantly work toward zero trust.


Subject: NIST report on hardware security risks reveals 98 failure scenarios
Source: Help Net Security
https://www.helpnetsecurity.com/2024/11/15/nist-report-hardware-security-risks/

NIST’s latest report, “Hardware Security Failure Scenarios: Potential Hardware Weaknesses” (NIST IR 8517) [82-page PDF; 3-page PDF starts on page 6], explores the hidden vulnerabilities in computer hardware, a domain often considered more secure than software.The report highlights how hardware flaws embedded in chip designs can lead to security risks that are difficult to fix post-production.

The document outlines 98 failure scenarios, detailing various ways attackers can exploit hardware design and implementation weaknesses. Issues such as improper access control, faulty coding standards and lifecycle management errors are among the scenarios discussed. These scenarios demonstrate how attackers could bypass security measures, access sensitive data, or disrupt system operations.

Posted in: AI, Cybersecurity, Financial System, Privacy, Social Media