Thursday, March 04, 2021

Looks like Microsoft is driving here. DHS is dictating actions, but only if agencies have the expertise.

https://www.makeuseof.com/homeland-security-declares-microsoft-exchange-attack-emergency/

Homeland Security Declares Microsoft Exchange Attack "Emergency"

Homeland Security has declared an ongoing attack against Microsoft Exchange as an emergency. The attacks, which began earlier this week, target Microsoft Exchange Servers, stringing together several zero-day exploits to access secure email accounts.

Homeland Security issued Emergency Directive 21-02 late on March 3, delivering some background information on the Microsoft Exchange attack.

Microsoft has pointed the figure squarely at a Chinese nation-state hacking group known as HAFNIUM. Usually, companies take a little longer before committing to naming a suspect, but Microsoft is in little doubt that a "highly skilled and sophisticated actor" is behind the attack.





Not sure I understand the subtle reasoning…

https://www.databreaches.net/court-upholds-insurers-denial-of-6m-crime-claim-for-phishing-loss/

Court Upholds Insurers’ Denial of $6M Crime Claim for Phishing Loss

Andrew G. Simpson reports:

Real estate software maker RealPage has been denied a $6 million computer crime insurance coverage claim because the stolen funds were not in its possession but were instead being held by a payment processing firm at the time of a phishing scheme.
National Union Fire Insurance Co. (a unit of American International Group-AIG) and Beazley Insurance Co., insurers for RealPage, won dismissal of all claims against them in an opinion by Judge Jane J. Boyle of the U.S. District Court in Dallas.

Read more on Insurance Journal.

[From the article:

The court found that funds that are “maintained in a commingled account in a third party’s name, at a third-party bank, which the insured can direct but not access, are not funds ‘held’ by the insured.”

The court recognized that RealPage might have intended to “hold” the client’s funds and further acknowledged that the bad actors utilized RealPage credentials to obtain the funds. Nevertheless, the court concluded that based on the plain language, RealPage did not hold the funds.





What does Alexa think?

https://www.pogowasright.org/study-reveals-extent-of-privacy-vulnerabilities-with-amazons-alexa/

Study Reveals Extent of Privacy Vulnerabilities with Amazon’s Alexa

From the North Carolina State University:

A recent study outlines a range of privacy concerns related to the programs that users interact with when using Amazon’s voice-activated assistant, Alexa. Issues range from misleading privacy policies to the ability of third-parties to change the code of their programs after receiving Amazon approval.
When people use Alexa to play games or seek information, they often think they’re interacting only with Amazon,” says Anupam Das, co-author of the paper and an assistant professor of computer science at North Carolina State University. “But a lot of the applications they are interacting with were created by third parties, and we’ve identified several flaws in the current vetting process that could allow those third parties to gain access to users’ personal or private information.”
At issue are the programs that run on Alexa, allowing users to do everything from listen to music to order groceries. These programs, which are roughly equivalent to the apps on a smartphone, are called skills. Amazon has sold at least 100 million Alexa devices (and possibly twice that many ), and there are more than 100,000 skills for users to choose from. Because the majority of these skills are created by third-party developers, and Alexa is used in homes, researchers wanted to learn more about potential security and privacy concerns.
… The researchers also found that Amazon allows multiple skills to use the same invocation phrase.
… Amazon does have some privacy protections in place, including explicit requirements related to eight types of personal data – including location data, full names and phone numbers. One of those requirements is that any skills requesting this data must have a publicly available privacy policy in place explaining why the skill wants that data and how the skill will use the data.
But the researchers found that 23.3% of 1,146 skills that requested access to privacy-sensitive data either didn’t have privacy policies or their privacy policies were misleading or incomplete.
The paper, “Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem,” was presented at the Network and Distributed Systems Security Symposium 2021, which was held Feb. 21-24.

Reference:

Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem”

Authors: Christopher Lentzsch and Martin Degeling, Ruhr-Universität Bochum; Sheel Jayesh Shah, Anupam Das and William Enck, North Carolina State University; and Benjamin Andow, Google Inc.

Presented: Feb. 21-24, Network and Distributed Systems Security Symposium 2021

DOI: 10.14722/ndss.2021.23111





Time to close the loopholes?

https://www.techradar.com/news/gdpr-is-already-out-of-date-founder-warns

GDPR is already out of date, founder warns

German MEP Axel Voss, one of the strongest proponents of the EU’s General Data Protection Regulation (GDPR) firmly believes that it’s time to give it an overhaul.

GDPR was passed in 2016 and is hailed as one of the most significant privacy-related legislations with equally vocal supporters and detractors. However in an interview with the Financial Times, Voss argues that that GDPR isn’t ready to tackle the challenges of the current environment.

“We have to be aware that GDPR is not made for blockchain, facial or voice recognition, text and data mining [ . . . ] artificial intelligence,” Voss told FT.





We can, therefore we must.

https://www.vice.com/en/article/bvx4bq/talon-flock-safety-cameras-police-license-plate-reader

Inside ‘TALON,’ the Nationwide Network of AI-Enabled Surveillance Cameras

Hundreds of pages of emails obtained by Motherboard show how little-known company Flock has expanded from surveilling individual neighborhoods into a network of smart cameras that spans the United States.

… Flock, whose cameras use automatic license plate reader technology, is well on its way to deploying a connected network of AI-powered cameras that detect the movements of cars across the United States.





Tossing out a lot of facts?

https://www.axios.com/state-of-artificial-intelligence-stanford-university-f5d71c41-251e-4fb4-b9b2-89fdee48bb3c.html

AI is industrializing

This morning, the Stanford Institute for Human-Centered Artificial Intelligence (HAI) released its annual AI Index, a top overview of the current state of the field.



No comments: