Tuesday, October 26, 2021

This is significant. Remember, a lot of these ransomware gangs are state sponsored. If the UK attacks, will their sponsor retaliate? Don’t get me wrong, I think it’s long overdue.

https://gizmodo.com/britain-wants-to-use-its-new-cyber-command-to-hunt-rans-1847930905

Britain Wants to Use Its New Cyber Command to 'Hunt' Ransomware Gangs

The United Kingdom wants to use a recently formed cyber command to “hunt” and hack ransomware gangs, a high-level government official recently revealed.

Jeremy Fleming, the director of Britain’s signals intelligence agency, GCHQ, divulged the plans at this year’s US Cipher Brief threat conference on Monday. Fleming said that Britain had seen a significant uptick in ransomware attacks and that the government was looking to use offensive operations to deter future attacks.

Operations of this kind would likely involve the government using its own exploits to target and disable servers operated by criminal gangs, the Financial Times reports. The UK’s National Cyber Force—a new unified command, created last year—would be the vector for such activities.

In his comments, Fleming insinuated that governments simply had not done enough to impose costs on underworld operators.


(Related) As long as it’s the criminals and not the state this will be manageable.

https://threatpost.com/groove-ransomware-revil-revenge-us-cyberattacks/175726/

Groove Calls for Cyberattacks on US as REvil Payback

Following the recent international law enforcement effort that dismantled the infrastructure for the REvil ransomware group, fellow cybercrime group Groove called for revenge — encouraging the wider cyber extortionist community to band together to target U.S. interests.

At a time when the U.S. is leading the international law enforcement effort to make splashy busts and shows of force against cybercriminals, this seems like a bold bet by Groove. But they have a plan.

BleepingComputer published a translation of the Russian blog post from Groove, filled with chest-thumping threats against the “US public sector, show this old man who is the boss here who is the boss and who will be on the Internet.”



Think your organization is any better?

https://www.cpomagazine.com/cyber-security/report-shows-appalling-state-of-employee-awareness-of-common-cyber-security-risks/

Report Shows Appalling State of Employee Awareness of Common Cyber Security Risks

The cybersecurity awareness training firm KnowBe4 released its 2021 State of Privacy and Security Awareness Report detailing the appalling state of employee awareness and practices.

The report includes responses from 1,000 employees in small and midsize businesses (SMBs) and large corporations in the United States.

It attempted to determine how much cybersecurity training the workers received and the impact it had on employee awareness of common cybersecurity risks.

The report found that employees could not identify social engineering attacks, security expectations for standard and privileged users, and how cybersecurity risks could adversely affect their employers.



...and in local news.

https://www.databreaches.net/nearly-30k-former-and-current-cu-boulder-students-personal-information-hacked/

Nearly 30K former and current CU Boulder students’ personal information hacked

Alex Rose reports:

The University of Colorado Boulder is sending emails to roughly 30,000 former and current students that have been impacted by a data breach, according to a release from the university.
Most of the people impacted are no longer CU students or employees, according to the release.
The university said the third-party software, provided by Atlassian, had a vulnerability that impacted a program used by the Office of Information Security. The office did an analysis that showed some data was accessed by a hacker.

Read more on KDVR.

It speaks volumes about what kind of year 2021 has been that the university had to add this statement in its notification:

This security incident is unrelated to the cyberattack on CU’s Accellion service earlier this year.



A checklist for my Ethical Hacking students. (One of many)

https://www.csoonline.com/article/3637732/10-essential-skills-and-traits-of-ethical-hackers.html?upd=1635252504158

10 essential skills and traits of ethical hackers



A tool for evidence gathering?

https://www.bespacific.com/heres-the-fbis-internal-guide-for-getting-data-from-att-t-mobile-verizon/

Here’s the FBI’s Internal Guide for Getting Data from AT&T, T-Mobile, Verizon

Vice: “The newly obtained document shows in granular detail the sort of data that the country’s carriers keep, and for how long. Much of the information reiterates what we already knew about law enforcement access to telecommunications data—how officials can request location data from a telecom with a warrant or use court orders to obtain other information on a phone user, for example. But the document does provide insights on what exactly each carrier collects, a more recent run-down of how long each telecom retains certain types of data for, and images of the tool the FBI makes available to law enforcement agencies across the country to analyze cell phone tower data. Ryan Shapiro, executive director of nonprofit organization Property of the People, shared the document with Motherboard after obtaining it through a public record act request. Property of the People focuses on obtaining and publishing government records.

Do you have access to similar documents? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com

The document, a 139 page slide presentation dated 2019, is written by the FBI’s Cellular Analysis Survey Team (CAST)…”



My AI refuses to read articles like this.

https://www.bespacific.com/the-law-of-ai/

The Law of AI

Jotwell Review by Margot Kaminski: Michael Veale and Frederik Zuiderveen Borgesius, Demystifying the Draft EU Artificial Intelligence Act 22(4). Computer L. Rev. Int’l 97-112 (2021). [h/t Mary Whisner]

The question of whether new technology requires new law is central to the field of law and technology. From Frank Easterbrook’s “law of the horse to Ryan Calo’s law of robotics, scholars have debated the what, why, and how of technological, social, and legal co-development and construction. Given how rarely lawmakers create new legal regimes around a particular technology, the EU’s proposed “AI Act (Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence and Amending Certain Union Legislative Acts) should put tech-law scholars on high alert. Leaked early this spring and officially released in April 2021, the AI Act aims to establish a comprehensive European approach to AI risk-management and compliance, including bans on some AI systems. In Demystifying the Draft EU Artificial Intelligence Act, Michael Veale and Frederik Zuiderveen Borgesius provide a helpful and evenhanded entrée into this “world-first attempt at horizontal regulation of AI systems.” One the one hand, they admire the Act’s “sensible” aspects, including its risk-based approach, prohibitions of certain systems, and attempts at establishing public transparency. On the other, they note its “severe weaknesses” including its reliance on “1980s product safety regulation” and “standardisation bodies with no fundamental rights experience.” For U.S. (and EU!) readers looking for a thoughtful overview and contextualization of a complex and somewhat inscrutable new legal system, this Article brings much to the table at a relatively concise length. Continue reading “The Law of AI”



Perhaps it will be possible for a mere human to audit an AI.

https://singularityhub.com/2021/10/25/not-so-mysterious-after-all-researchers-show-how-to-crack-ais-black-box/

Not So Mysterious After All: Researchers Show How to Crack AI’s Black Box

The deep learning neural networks at the heart of modern artificial intelligence are often described as “black boxes” whose inner workings are inscrutable. But new research calls that idea into question, with significant implications for privacy.

Unlike traditional software whose functions are predetermined by a developer, neural networks learn how to process or analyze data by training on examples. They do this by continually adjusting the strength of the links between their many neurons.

By the end of this process, the way they make decisions is tied up in a tangled network of connections that can be impossible to follow. As a result, it’s often assumed that even if you have access to the model itself, it’s more or less impossible to work out the data that the system was trained on.

But a pair of recent papers have brought this assumption into question, according to MIT Technology Review, by showing that two very different techniques can be used to identify the data a model was trained on. This could have serious implications for AI systems trained on sensitive information like health records or financial data.



The alternative would be a comparable UK company. Can you think of one?

https://www.theguardian.com/uk-news/2021/oct/26/amazon-web-services-aws-contract-data-mi5-mi6-gchq

Amazon given contract to store data for MI5, MI6 and GCHQ

The UK’s spy agencies have given a contract to Amazon Web Services (AWS) to host classified material in a deal aimed at boosting the use of data analytics and artificial intelligence for espionage.

GCHQ had supported the procurement of a high-security cloud system, which would be used by its sister services, MI5 and MI6. Other government departments, such as the Ministry of Defence, would also use the system during joint operations.

The agreement, estimated by industry experts to be worth £500m to £1bn over the next decade, was signed this year with Amazon.com’s cloud service unit AWS, the Financial Times first reported, citing people familiar with the discussions.



Perspective. A podcast.

https://knowledge.wharton.upenn.edu/article/is-the-great-resignation-giving-rise-to-the-entrepreneur/

Is the Great Resignation Giving Rise to the Entrepreneur?

Wharton management professor Jacqueline “Jax” Kirtley isn’t making any predictions about when or how the Great Resignation will end.

Nearly 4.3 million Americans quit their jobs in August, the highest number on record since the government began collecting data 20 years ago. The quit rate coincides with a dramatic surge in applications for new businesses since the COVID-19 pandemic began, mostly for sole-proprietor ventures.

The pandemic is to blame for these concussive shocks to the labor market, but Kirtley is careful about drawing any conclusions.


No comments: