Friday, November 18, 2022

Cyber insurance looks like a great business to get out of… What must your premiums be if 80% of your clients make claims?

https://www.cpomagazine.com/cyber-security/80-of-companies-filing-cyber-insurance-claims-portends-higher-costs-new-requirements-for-security-controls/

80% Of Companies Filing Cyber Insurance Claims Portends Higher Costs, New Requirements for Security Controls

Demand has jumped for cyber insurance recently, and companies appear to be quick to make use of it. A new report from cybersecurity firm Delinea finds that nearly 80% of companies that have coverage have used it, and 50% have used it more than once. Yet only 30% are carrying policies that cover critical risks pertaining to ransomware attacks. As a result, requirements by insurers to implement security controls are already on the rise: over half say they are required to perform cybersecurity awareness training, and just under half are required to implement measures such as MFA and regular data backups.



(Related)

https://www.csoonline.com/article/3680588/fortinet-s-fortiguard-labs-recaps-state-of-ransomware-settlements.html#tk.rss_all

Fortinet’s FortiGuard Labs Recaps State of Ransomware Settlements

It’s painfully obvious at this point that ransomware continues to grow in popularity. As Fortinet’s FortiGuard Labs team found, the number of new ransomware variants doubled in just the first half of 2022 compared to the previous six-month period. It’s no wonder more companies are turning to cyber insurance to help recoup their losses when they do have to pay a ransomware settlement.

That’s an option – but think of it as a parachute for your parachute; it doesn’t take the place of having all of your other safety guards in place. Cyber insurance can also be a double-edged sword. It has grown in popularity and usually compensates for losses brought on by hacking and data theft, extortion and destruction. Because it sometimes covers ransomware costs, it may seem like a reasonable way to address this threat.

But cyber insurance isn't nearly the panacea many firms were hoping for, since hackers are well aware that organizations with insurance are more likely to pay out a settlement for ransomware payments.





Cyber war: ready or not, here it comes…

https://www.cyberscoop.com/biden-nspm-13-pentagon-cyber-operations/

Biden set to approve expansive authorities for Pentagon to carry out cyber operations

The Defense Department has largely won out in a long-running bureaucratic battle with the State Department over retaining its broad powers to launch cyber operations, according to two sources familiar with the matter.

President Biden is set to sign off on these authorities in a newly revised version of National Security Policy Memorandum-13, the official said.

First instituted in 2018, NSPM-13 allowed the delegation of “well-defined authorities to the secretary of defense to conduct time-sensitive military operations in cyberspace,” according to a 2020 speech given by Paul Ney, then the general counsel for the DOD. Designed by President Trump’s National Security Council and promoted by then National Security Adviser John Bolton, NSPM-13 was intended to streamline the approval process for cyber operations that Bolton describes in his memoir as “frozen solid” when he arrived in office.





I wonder if we could get the CEO to ‘volunteer’ for this? Might help at budget time.

https://www.nbcnews.com/pop-culture/tiktoker-consensually-doxxing-people-teach-social-media-privacy-rcna55037

This TikToker is 'consensually doxxing' people to teach them about social media privacy

Many users go to great lengths to secure their social media accounts — but one TikTok creator is showing people that their profiles aren’t as private as they seem.

Kristen Sotakoun, 32, is behind a viral TikTok series devoted to “consensual doxxing,” in which she reveals the birthdates of people in her comments section.

Sotakoun isn’t a data privacy expert, nor is she experienced in cybersecurity. She is a restaurant server in Chicago who simply loves puzzles. And that’s how she views each of her consensual doxxing subjects — as a kind of logic game.





For extreme levels of incompetence we shall henceforth use the phrase, “He Musked it up!”

https://www.bloomberg.com/news/articles/2022-11-17/musk-softens-remote-work-mandate-to-retain-twitter-staffers

Musk’s ‘Hardcore’ Ultimatum Sparks Exodus, Leaving Twitter at Risk



(Related)

https://www.theverge.com/2022/11/17/23465274/hundreds-of-twitter-employees-resign-from-elon-musk-hardcore-deadline

Hundreds of employees say no to being part of Elon Musk’s ‘extremely hardcore’ Twitter



(Related)

https://www.thedailybeast.com/sabotage-shy-elon-musk-boards-up-twitter-offices-until-monday-as-remaining-staff-flock-to-quit-report-says

Sabotage’-Shy Musk Boards Up Twitter Offices as Staffers Flock to Quit: Report



Thursday, November 17, 2022

If nation states (or their mercenary criminal gangs) keep up aggressive probing they eventually must cross a line that requires retaliation. Does either side know where that line is? Is everything Russia does to the Ukraine a ‘warlike’ hack?

https://www.cpomagazine.com/cyber-security/microsoft-detects-an-increase-in-nation-state-attacks-and-password-attacks/

Microsoft Detects an Increase in Nation-State Attacks and Password Attacks

Microsoft has detected increased nation-state attacks as competing governments rush to compromise systems for cyber espionage and to spread misinformation. The company also observed increased password attacks as hackers “industrialize” cybercrime, thus lowering the entry barrier.

According to Microsoft Digital Defense Report 2022, 90% of Russian attacks were against NATO countries, with nearly half (48%) targeting IT firms.



(Related)

https://thehackernews.com/2022/11/north-korean-hackers-targeting-europe.html

North Korean Hackers Targeting Europe and Latin America with Updated DTrack Backdoor



(Related)

https://thehackernews.com/2022/11/chinese-hackers-using-42000-imposter.html

Chinese Hackers Using 42,000 Imposter Domains in Massive Phishing Attack Campaign



(Related)

https://www.bleepingcomputer.com/news/security/us-govt-iranian-hackers-breached-federal-agency-using-log4shell-exploit/

US govt: Iranian hackers breached federal agency using Log4Shell exploit





Why security breaches are inevitable?

https://www.darkreading.com/application-security/misconfigurations-vulnerabilities-found-in-95-of-applications

Misconfigurations, Vulnerabilities Found in 95% of Applications

Nearly every application has at least one vulnerability or misconfiguration that affects security and a quarter of application tests found a highly or critically severe vulnerability, a new study shows.

Weak SSL and TLS configuration, missing Content Security Policy (CSP) header, and information leakage through server banners topped the list of software issues with security implications, according to findings in software and hardware tools conglomerate Synopsys' new Software Vulnerabilities Snapshot 2022 report published today. While many of the misconfigurations and vulnerabilities are considered to be of medium severity or less, at least 25% are rated highly or critically severe.

Penetration tests, for example, detected 77% of the weak SSL/TLS configuration issues, while dynamic application security testing (DAST) detected the issue in 81% of tests. Both the technologies, plus mobile application security testing (MAST), led to the issue being discovered in 82% of tests, according to the Synopsys report.





The subtilty of the spoof…

https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-world-after-all/

Disneyland Malware Team: It’s a Puny World After All

A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic and Ukrainian.

The U.S. financial services firm Ameriprise uses the domain ameriprise.com; the Disneyland Team’s domain for Ameriprise customers is https://www.xn--meripris-mx0doj[.]com [brackets added to defang the domain], which displays in the browser URL bar as ạmeriprisẹ[.]com.

Look carefully, and you’ll notice small dots beneath the “a” and the second “e”. You could be forgiven if you mistook one or both of those dots for a spec of dust on your computer screen or mobile device.





Tools & Techniques. This could be amusing. Create your own ancestors?

https://www.bdtonline.com/news/nation_world/myheritage-releases-ai-time-machine-to-enable-anyone-to-transform-themselves-into-historical-figures-using/article_0f79beb8-5de2-5e3f-9123-6c3e0e846599.html

MyHeritage Releases AI Time Machine™ to Enable Anyone to Transform Themselves Into Historical Figures Using Everyday Photos

MyHeritage, the leading global service for discovering your past and empowering your future, announced today the release of AI Time Machine™, a cutting-edge, fun feature that creates images of a person in different time periods throughout history using text-to-image AI technology. The stunning, hyper-realistic results can easily be shared on social media and used as profile photos to amaze friends and family.

This press release features multimedia. View the full release here: https://www.businesswire.com/news/home/20221115005886/en/





Something for the techies.

https://www.allthingsdistributed.com/2022/11/amazon-1998-distributed-computing-manifesto.html

The Distributed Computing Manifesto

Today, I am publishing the Distributed Computing Manifesto, a canonical document from the early days of Amazon that transformed the architecture of Amazon’s ecommerce platform. It highlights the challenges we were facing at the end of the 20th century, and hints at where we were headed.

During my keynote at AWS re:Invent in a couple of weeks, I plan to talk about how the concepts in this document started to shaped what we see in microservices and event driven architectures. Also, in the coming months, I will write a series of posts that dive deep into specific sections of the Distributed Computing Manifesto.

The full text of the Distributed Computing Manifesto is available below. You can also view it as a PDF.



Wednesday, November 16, 2022

We don’t need no stinking papers!

https://www.newshub.co.nz/home/travel/2022/11/air-new-zealand-launches-facial-recognition-verification-at-boarding-gates-after-successful-lax-trial.html

Air New Zealand launches facial recognition verification at boarding gates after successful LAX trial

Air New Zealand is introducing biometric facial recognition verification at its boarding gates in the US after a successful trial at Los Angeles Airport (LAX), the airline has announced.

"Boarding passes will soon be a thing of the past," it said in a statement to media, adding the move is part of its "plan to take the friction out of travel and to make the journey through the airport that much smoother".

"No sighting passports and no scanning boarding passes."





Please describe the solution in 25 words or less. (My AI claims that it will have the answer as soon as it finishes Law School.)

https://www.theverge.com/23444685/generative-ai-copyright-infringement-legal-fair-use-training-data

The scary truth about AI copyright is nobody knows what will happen next

Generative AI has had a very good year. Corporations like Microsoft, Adobe, and GitHub are integrating the tech into their products; startups are raising hundreds of millions to compete with them; and the software even has cultural clout, with text-to-image AI models spawning countless memes. But listen in on any industry discussion about generative AI, and you’ll hear, in the background, a question whispered by advocates and critics alike in increasingly concerned tones: is any of this actually legal?

The question arises because of the way generative AI systems are trained. Like most machine learning software, they work by identifying and replicating patterns in data. But because these programs are used to generate code, text, music, and art, that data is itself created by humans, scraped from the web and copyright protected in one way or another.





Q: How will we be able to tell when Trump is lying? A: Are his lips moving?

https://www.cnn.com/2022/11/15/politics/facebook-fact-check-donald-trump/index.html

Facebook fact-checkers will stop checking Trump after presidential bid announcement

Facebook’s fact-checkers will need to stop fact-checking former President Donald Trump following the announcement that he is running for president, according to a company memo obtained by CNN.

While Trump is currently banned from Facebook, the fact-check ban applies to anything Trump says and false statements made by Trump can be posted to the platform by others. Despite Trump’s ban, “Team Trump,” a page run by Trump’s political group, is still active and has 2.3 million followers.





Tools & Techniques.

https://www.makeuseof.com/tag/see-every-like-post-comment-you-made-facebook/

How to See Every Like, Post, and Comment You've Made on Facebook

… Luckily, it's really easy to find every link, post, and even comment that you've liked. In addition to seeing your likes, you can see pretty much everything you've done on Facebook: what you've posted, commented on, saved, and more.



Tuesday, November 15, 2022

I wonder if this amount is in any way tied to the profits made over the same period?

https://www.nytimes.com/2022/11/14/technology/google-privacy-settlement.html

Google Agrees to $392 Million Privacy Settlement With 40 States

Google agreed to a record $391.5 million privacy settlement with a 40-state coalition of attorneys general on Monday for charges that it misled users into thinking they had turned off location tracking in their account settings even as the company continued collecting that information.

Under the settlement, Google will also make its location tracking disclosures clearer starting in 2023.

The attorneys general said the agreement was the biggest internet privacy settlement by U.S. states.





Well said.

https://www.makeuseof.com/online-privacy-risks-dangers-solutions/

The Myth of Online Privacy: Risks, Dangers, and Solutions

Privacy these days means something completely different than it did even a decade ago. And the only things we have to blame for this are the internet and ourselves.

In the age of the internet, we're only as "private" as the tools we use allow us to be, which isn't much. While you rejoice in using a lot of free tools, know that you're actually paying with data.





For good governance, avoid bad examples…

https://techcrunch.com/2022/11/14/is-elon-musks-twitter-about-to-fall-out-of-the-gdprs-one-stop-shop/

Is Elon Musk’s Twitter about to fall out of the GDPR’s one-stop shop?

Like many major tech firms with customers across the European Union, Twitter currently avails itself of a mechanism in the GDPR known as the one-stop shop (OSS). This is beneficial because it allows the company to streamline regulatory administration by being able to engage exclusively with a lead data supervisor in the EU Member State where it is “main established” (in Twitter’s case, Ireland), rather than having to accept inbound from data protection authorities across the bloc.

However, under Musk’s chaotic reign — which has already seen a fast and deep downsizing of Twitter’s headcount, kicking off with layoffs of 50% of staff earlier this month — questions are being asked over whether its main establishment status in Ireland for the GDPR still holds or not.

The resignation late last week of key senior personnel responsible for ensuring security and privacy compliance looks like a canary in the coal mine when it comes to Twitter’s regulatory situation — with CISO Lea Kissner, chief privacy officer Damien Kieran, and chief compliance officer Marianne Fogarty all walking out the door en masse.





This sounds both wishy and washy to me.

https://www.reuters.com/technology/italy-outlaws-facial-recognition-tech-except-fight-crime-2022-11-14/

Italy outlaws facial recognition tech, except to fight crime

Italy prohibited the use of facial recognition and 'smart glasses' on Monday as its Data Protection Agency issued a rebuke to two municipalities experimenting with the technologies.

Facial recognition systems using biometric data will not be allowed until a specific law is adopted or at least until the end of next year, the privacy watchdog said.

The exception is when such technologies play a role in judicial investigations or the fight against crime.





Economics is always interesting (and often confusing).

https://www.foreignaffairs.com/russian-federation/russias-road-economic-ruin

Russia’s Road to Economic Ruin

… Look behind the moderate GDP contraction and inflation figures, however, and it becomes evident that the damage is in fact severe: the Russian economy is destined for a long period of stagnation. The state was already interfering in the private sector before the war. That tendency has become only more pronounced, and it threatens to further stifle innovation and market efficiency. The only way to preserve the viability of the Russian economy is either through major reforms—which are not in the offing—or an institutional disruption similar to the one that occurred with the fall of the Soviet Union.





We will lose this when everything is an eBook.

https://www.bespacific.com/the-value-of-owning-more-books-than-you-can-read-2/

The value of owning more books than you can read

Big Think

  • Many readers buy books with every intention of reading them only to let them linger on the shelf.

  • Statistician Nassim Nicholas Taleb believes surrounding ourselves with unread books enriches our lives as they remind us of all we don’t know. [we don’t know what we don’t know, until we learn it!]

  • The Japanese call this practice tsundoku, and it may provide lasting benefits.”



Monday, November 14, 2022

Is Colorado ready?

https://news.bloomberglaw.com/bloomberg-law-analysis/analysis-as-ai-meets-privacy-states-answers-raise-questions

ANALYSIS: As AI Meets Privacy, States’ Answers Raise Questions

While artificial intelligence may stir debates about the future, it’s already a part of many attorneys’ current practice. And in 2023, companies doing business in four states—California, Virginia, Colorado, and Connecticut—will need to comply with consumer privacy laws governing AI-powered data processing. The regulatory answers proposed by these states on how to leverage AI in compliance with privacy laws are already spurring questions that will likely linger long after the laws take effect.

The following graphic compares AI-related requirements from the GDPR and California’s, Virginia’s, Colorado’s, and Connecticut’s privacy laws.





To the extent that the hackers are state sponsored, has Australia just started a cyber war? Or are all but ‘criminals’ off limits?

https://www.theregister.com/2022/11/14/australia_offensive_ops_against_ransomware/

Australia to 'stand up and punch back' against cyber crims

Australia's government has declared the nation is planning to go on the offensive against international cyber crooks following recent high-profile attacks on local health insurer Medibank and telco Optus.

The aggressive posture was expressed in the announcement of a "Joint standing operation" that will see the Australian Federal Police and the Australian Signals Directorate (Australia's GCHQ/NSA analog) run a team with a mission "to investigate, target and disrupt cyber-criminal syndicates with a priority on ransomware threat groups."

Minister for Home Affairs and Cyber Security Clare O'Neil said the operation will "scour the world, hunt down the criminal syndicates and gangs who are targeting Australia in cyber-attacks, and disrupt their efforts."





Not a ‘Terminator,’ just an annoying insect.

https://www.telegraph.co.uk/global-health/terror-and-security/drone-assassins-micro-killing-machine/

Microdrones: the AI assassins set to become weapons of mass destruction

Drones are in the news again, but not as we have come to know them. Last month Britain announced it was sending 850 Black Hornet “microdrones” to Kyiv for use in close-quarters combat.

The idea was (before the spectacular Russian collapse in recent weeks) that they would lend Ukrainian troops a crucial edge in the vicious urban fighting that was expected as they sought to liberate their towns and cities.

These machines are a far cry from the large unmanned aerial vehicles (UAVs) associated with the war on terror, the ubiquitous Predator and Reaper drones that delivered death from the upper skies with almost god-like insouciance.

Black Hornets are actually more like a child’s toy. Measuring just over six inches and weighing a little less than a plum, they will literally peer round corners and sneak through windows.

… At £10,000 a pop, but bound to get cheaper, it offers what soldiers since before Thermopylae have craved: situational awareness and the ability to “see over the hill” – without having to send some poor blighter to the top of it.





Ethics in the pre-Machine Learning world. (No doubt used to train the ML)

https://dilbert.com/strip/2022-11-14



Sunday, November 13, 2022

It’s not that easy…

https://www.tandfonline.com/doi/full/10.1080/13501763.2022.2126515

Governing AI – attempting to herd cats? Introduction to the special issue on the governance of artificial intelligence

Artificial Intelligence raises new, distinct governance challenges, as well as familiar governance challenges in novel ways. The governance of AI, moreover, is not an issue of distant futures, it is well underway – and it has characteristics akin to ‘herding cats’ with a mind of their own. This essay introduces the contributions to the special issue, situating them in broader social science literatures. It then provides a sketch of an interdisciplinary research agenda. It highlights the limits of 'explainable AI', makes the case for considering AI ethics and AI governance simultaneously, identifies 'system effects' arising from the introduction of AI applications as an underappreciated risk, and calls for policymakers to consider both the opportunities and the risks of AI. Focusing on the (ab)uses of AI, rather than the highly complex, rapidly changing and hard-to-predict technology as such, might provide a superior approach to governing AI.





Subtle is as subtle does.” F. Gump

https://www.makeuseof.com/what-is-living-off-the-land-attack/

What Is a Living-Off-the-Land Attack and How Can You Prevent It?

A LotL attack is a kind of fileless attack where a hacker uses the programs already on a device instead of using malware. This method of using native programs is more subtle and makes discovering the attack less likely.

Some native programs hackers often use for LotL attacks include the command line console, PowerShell, the Windows registry console, and the Windows Management Instrumentation command line. Hackers also use Windows-Based and Console-Based Script hosts (WScript.exe and Cscript.exe). The tools come with every Windows computer and are necessary for executing normal administrative tasks.





Comings soon to a courtroom near you?

https://www.databreaches.net/uk-hacked-evidence-and-stolen-data-swamp-english-courts/

UK: Hacked evidence and stolen data swamp English courts

Franz Wild, Ed Siddons, Simon Lock, Jonathan Calvert, and George Arbuthnott report:

A multimillion-pound high court case between an authoritarian Gulf emirate and an Iranian-American businessman has revealed how hacked evidence is being used by leading law firms to advance their clients’ claims.
It includes allegations that a former Metropolitan Police officer hired Indian hackers and that lawyers from a top City firm held a secret “perjury school” in the Swiss Alps to prepare false witness testimonies about how they got hold of illegally obtained information.
Last week the Bureau of Investigative Journalism and the Sunday Times exposed the criminal activities of Aditya Jain, a 31-year-old computer security expert who set up a “hack-for-hire” operation from his apartment in Gurugram, India.

Read more at the Bureau of Investigative Journalism, keeping in mind this statement from the piece:

A striking feature of the English legal system is that a judge will accept hacked emails as evidence in court unless persuaded to exclude it. Peter Ashford, a London solicitor and expert in the admissibility of illegal evidence, claims the English system is “the most liberal”. He added: “Even if you’ve done the hacking, you’ve still got a pretty good chance of getting it in [to the court].”





AI judges for some things, but not all?

https://link.springer.com/chapter/10.1007/978-3-031-15746-2_14

Automated Justice: Issues, Benefits and Risks in the Use of Artificial Intelligence and Its Algorithms in Access to Justice and Law Enforcement

The use of artificial intelligence (AI) in the field of law has generated many hopes. Some have seen it as a way of relieving courts’ congestion, facilitating investigations, and making sentences for certain offences more consistent—and therefore fairer. But while it is true that the work of investigators and judges can be facilitated by these tools, particularly in terms of finding evidence during the investigative process, or preparing legal summaries, the panorama of current uses is far from rosy, as it often clashes with the reality of field usage and raises serious questions regarding human rights. This chapter will use the Robodebt Case to explore some of the problems with introducing automation into legal systems with little human oversight. AI—especially if it is poorly designed—has biases in its data and learning pathways which need to be corrected. The infrastructures that carry these tools may fail, introducing novel bias. All these elements are poorly understood by the legal world and can lead to misuse. In this context, there is a need to identify both the users of AI in the area of law and the uses made of it, as well as a need for transparency, the rules and contours of which have yet to be established.





This could make it easier to ‘sell’ AI ethics…

https://link.springer.com/chapter/10.1007/978-3-031-09846-8_13

Ethics Auditing: Lessons from Business Ethics for Ethics Auditing of AI

This chapter reviews the business ethics literature on ethics auditing to extract lessons for the emerging practice of ethics auditing of Artificial Intelligence (AI). It reviews the definitions, purposes and motivations of ethics audits, identifies their benefits as well as limitations, and compares various theoretical and practical approaches to ethics auditing. It distils seven lessons for the ethics auditing of AI and finds that ethics audits need to be comprehensive, involve stakeholders, entice behaviour change, be pragmatic and rigorous, be widely endorsed, fitting in context but also comparable, and lastly integrate a technical dimension with an organisational dimension. It is crucial that, while ethics auditing can also have financial benefits, their main goal must remain the improvement of the ethical performance and meaningful accountability of the audited organisation. The novel elements of AI should not blind us to the continuities of social embeddedness and organisational dynamics. Ethics auditing of AI can learn valuable lessons from failed and successful previous efforts to audit the ethics of organisations.





As opposed to ‘fair and legal’ discrimination. (Define one and you automatically define the other.)

https://link.springer.com/chapter/10.1007/978-3-031-17040-9_2

Unfair and Illegal Discrimination

There is much debate about the ways in which artificial intelligence (AI) systems can include and perpetuate biases and lead to unfair and often illegal discrimination against individuals on the basis of protected characteristics, such as age, race, gender and disability. This chapter describes three cases of such discrimination. It starts with an account of the use of AI in hiring decisions that led to discrimination based on gender. The second case explores the way in which AI can lead to discrimination when applied in law enforcement. The final example looks at implications of bias in the detection of skin colour. The chapter then discusses why these cases are considered to be ethical issues and how this ethics debate relates to well-established legislation around discrimination. The chapter proposes two ways of raising awareness of possible discriminatory characteristics of AI systems and ways of dealing with them: AI impact assessments and ethics by design.





‘cause I gots kulture.

https://www.makeuseof.com/tag/top-10-sites-listen-classical-music/

The Top 10 Sites To Listen To Classical Music