Robert Grupe's AppSecNewsBits & AI 2024-10-19

What's Weak This Week: Change Healthcare attack costs now up to $2.87B in 2024 with more in 2025, Solar Winds, Kubernetes Image Builder, Casio, ESET, Cisco, Fortinet, WordPress, ...

October 19, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
U.S. Officials Race to Understand Severity of China’s Salt Typhoon Hacks
Federal authorities and cybersecurity investigators are probing the breaches of Verizon Communications, AT&T and Lumen Technologies. A stealthy hacking group known as Salt Typhoon tied to Chinese intelligence is believed to be responsible. The compromises may have allowed hackers to access information from systems the federal government uses for court-authorized network wiretapping requests.

 

Chinese hack of US ISPs shows why Apple is right about backdoors for law enforcement
It was revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US. What’s notable about the attack is that it compromised security backdoors deliberately created to allow for wiretaps by US law enforcement.
Apple is absolutely right to say that the moment you build in a backdoor for use by governments, it will only be a matter of time before hackers figure it out. You cannot have an encryption system which is only a little bit insecure any more than you can be a little bit pregnant. Encryption systems are either secure or they’re not – and if they’re not then it’s a question of when, rather than if, others are able to exploit the vulnerability.

 

Casio says 'no prospect of recovery yet' after ransomware attack
Japanese electronics giant Casio has confirmed that many of its systems remain unusable almost two weeks after it was hit by a ransomware attack.
“Since October 5, our servers experienced a system failure that rendered several of them unusable,” adding that the company subsequently took measures to disconnect its servers to prevent the spread of damage. “This countermeasure is affecting our receiving and placing orders with suppliers and schedule of product shipments,” Hara said. “There is no prospect of recovery yet, but we are prioritizing our customers as we move forward with recovery.”
Casio revealed it had been the victim of a ransomware attack, which saw attackers compromise sensitive company data and the personal information of employees, contractors, business partners, and job applicants. This data theft was claimed by the Underground ransomware group, which shared alleged samples of the stolen Casio data on its dark web leak site. The hackers left a threatening message indicating their intention to leak our data, but Casio had not received a ransom demand.

 

Cisco takes DevHub portal offline after hacker publishes stolen data
Cisco confirmed today that it took its public DevHub portal offline after a threat actor leaked "non-public" data, but it continues to state that there is no evidence that its systems were breached.
"We have determined that the data in question is on a public-facing DevHub environment—a Cisco resource center that enables us to support our community by making available software code, scripts, etc. for customers to use as needed. At this stage in our investigation, we have determined that a small number of files that were not authorized for public download may have been published."
The IntelBroker hacker said he gained access to a Cisco third-party developer environment through an exposed API token. During Cisco's investigation, IntelBroker grew increasingly frustrated when the company would not acknowledge a security incident, sharing screenshots with BleepingComputer to prove he had access to a Cisco developer environment. These screenshots and files, which we also shared with Cisco, showed that the threat actor had access to most, if not all, of the data stored on this portal. This data included source code, configuration files with database credentials, technical documentation, and SQL files.

 

ESET partner breached to send data wipers to Israeli orgs
A data wiper is malware that intentionally deletes all of the files on a computer and commonly removes or corrupts the partition table to make it harder to recover the data. Hackers breached ESET's exclusive partner in Israel to send phishing emails to Israeli businesses that pushed data wipers disguised as antivirus software for destructive attacks. In a phishing campaign that started on October 8th, emails branded with ESET's logo were sent from the legitimate eset[.]co[.]il domain, indicating that the Israel division's email server was breached as part of the attack. The emails pretend to be from "ESET's Advanded Threat Defense Team," warning customers that government-backed attackers are trying to target the recipient's device. To help protect the device, ESET offers a more advanced antivirus tool called "ESET Unleashed" to protect against the threat.

 

Change Healthcare Ransomware Attack Cost to Rise to $2.87bn in 2024
UnitedHealth Group’s Q1, 2024 earnings report estimated total losses due to the cyberattack would be $1.6 billion in 2024. By the end of Q2, 2024, the estimate had increased to between $2.3 billion and $2.45 billion, almost 1 billion more than expected at the end of Q1. In the 9 months to September 30, 2024, UnitedHealth Group reported $1.521 billion in direct response costs and $2.457 billion in total cyberattack impacts, and the total anticipated cost of the Change Healthcare ransomware attack has been revised to $2.87 billion in 2024.
Third quarter earnings from operations were $8.7 billion, including $0.3 billion in unfavorable cyberattack effects. Adjusted earnings from operations of $9.0 billion include the Change Healthcare business disruption impacts and exclude the cyberattack direct response costs.
UnitedHealth Group disbursed $8.9 billion in loans to providers adversely affected by the Change Healthcare ransomware attack and has recovered $3.2 billion. UnitedHealth Group said it has made substantial progress recovering from the ransomware attack with most systems now back online; however, transaction volumes are still not at pre-event levels. “We continue to work with customers to bring transaction volumes back to pre-event levels and to win new business with our now more modern, secure and capable offerings. We expect to continue to build back the business to pre-attack levels over the course of ’25 and estimate next year’s full year impact will be roughly half of the ’24 level.”

 

Troubled US insurance giant Globe Life hit by extortion after data leak
"Following an inquiry from a state insurance regulator, Globe Life initiated a review of potential vulnerabilities related to access permissions and user identity management for a Company web portal," Globe Life told the SEC in June. The misconfigured portal "likely resulted in unauthorized access to certain consumer and policyholder information."
Globe Life said it was recently contacted by an unknown threat actor asking for money in exchange for not publishing "certain information held and used by the Company and its independent agents."
What is fresh is the fact that the unknown threat actor behind the extortion attempt influenced the short sellers. "The threat actor also shared information about a limited number of individuals to short sellers and plaintiffs' attorneys," Globe Life said in today's SEC filing. "The threat actor claims to possess additional categories of information, which claims remain under investigation and have not been verified." That claim could serve Globe Life well in court, where it's currently being sued by shareholders who allege the company's lies, as reported by the short sellers, caused artificial inflation of shares and losses after share prices dropped.

 

Critical hardcoded SolarWinds credential now exploited in the wild
This is the SolarWinds best known for the backdoor maliciously added to its Orion suite in a supply-chain attack by Russia on public and private organizations around the world.
The 9.1 CVSS-rated oversight allows remote, unauthenticated attackers to log into vulnerable instances via these baked-in creds, and then access internal functionality and modify sensitive data.
While this vulnerability does not lead to fully compromising the WHD server itself, the risk of lateral movement via credentials was high.
This is SolarWinds' second actively exploited bug in this same product in two months.

 

Critical default credential in Kubernetes Image Builder allows SSH root access
A critical bug in Kubernetes Image Builder could allow unauthorized SSH access to virtual machines (VMs) thanks to default credentials being included during the image build process.
This flaw is tracked as CVE-2024-9486, it earned a 9.8 out of 10 CVSS severity rating, and it affects VM images built with the Proxmox provider on Image Builder version 0.1.37 or earlier.

 

US contractor pays $300K to settle accusation it didn't properly look after Medicare users' data
Virginia-based ASRC Federal Data Solutions (AFDS) signed a deal with the Justice Department this week agreeing to pay $306,722 in restitution, but without admitting liability for the allegations. AFDS also agreed to waive rights to reimbursement for the money it already spent remediating the data exposure. This includes the $877,578 spent notifying victims that their data had been leaked and offering credit monitoring.
The subcontractor used disk-level encryption for files stored on the server but it was only configured to block access by those using invalid credentials. Anyone with valid credentials could have accessed the protected files.
During the specified timeframe, the subcontractor allegedly took screenshots from CMS systems that contained personally identifiable information (PII). These screenshot files weren't encrypted individually and were later accessed by an unauthorized third party who was using valid credentials.
The allegations were made by the US under the False Claims Act, and specifically relate to AFDS billing the CMS for "time spent taking, storing, and managing the unencrypted screenshots" – all while operating in alleged violation of the HHS's cyber security requirements.

 

US Gryphon Healthcare admits up to 400,000 people's personal info was snatched
Gryphon Healthcare provides revenue cycle and management services, said patients' names, dates of birth, addresses, and Social Security numbers were all potentially accessed by a malicious attacker.
Organizations could include hospitals, emergency departments and EMS providers, imaging centers, independent labs, the incredibly broad catch-all "healthcare facilities," ambulatory surgery centers, and private practices.
Gryphon detected the incident on August 13, finished its review of the impacted data on September 3, and began notifying those affected on Friday. According to its filing with Maine's Attorney General, the first time the data was accessed by an unauthorized person was on July 6.
Gryphon didn't specify the nature of the events that led to the exposure of the data, describing it only as a "recent data security incident." However, it may have to reveal a little more in the coming months as lawyers wasted no time in working up a proposed class-action lawsuit. Tulsa, OK-based Abington Cole and Ellery started appealing for victims of the data protection mess to come forward on Saturday, a day after letters to victims were mailed out.

 

Thousands of Fortinet instances vulnerable to actively exploited flaw
More than 86,000 Fortinet instances remain vulnerable to the critical flaw that attackers started exploiting last week.
Carrying a CVSS v3 severity rating of 9.8, the remote code execution vulnerability is about as serious as they come. The assessment of CVE-2024-23113 concluded any successful exploit would have a high impact on data confidentiality, system integrity, and service availability, and required no privileges or user interaction to pull it off. CVE-2024-23113 was first disclosed in February, but the bad guys had been too busy experimenting with other critical bugs that were fixed around the same time. For reasons unknown, the vulnerability has only recently caught the attention of attackers. The US's Cybersecurity and Infrastructure Security Agency (CISA) broke the news it was being actively exploited last week by adding it to the Known Exploited Vulnerabilities (KEV) catalog.

 

Jetpack fixes 8-year-old flaw affecting millions of WordPress sites
During an internal security audit, a vulnerability with the Contact Form feature in Jetpack was found. This vulnerability could be used by any logged in users on a site to read forms submitted by visitors on the site.
Jetpack is a WordPress plugin developed by Automattic, offering features like antispam filtering, site analytics, and more. It released security patches for 101 different versions going all the way back to 2016's version 3.9.9, which introduced a flaw that's been present in the product ever since.

 

WeChat devs introduced security flaws when they modded TLS
WeChat uses MMTLS, a cryptographic protocol heavily based on TLS 1.3. The devs essentially tweaked standard TLS but in turn that left the app with an encryption implementation, which "is inconsistent with the level of cryptography you would expect in an app used by a billion users, such as its use of deterministic IVs and lack of forward secrecy."
The most serious issue the researchers found, however, was that the business-layer encryption doesn't encrypt metadata such as user IDs and request URIs, leaking them in plain text.

 

Archive.org, a repository of the history of the Internet, has a data breach
Archive[.]org's Brewster Kahle said on the social media site X that the archive had come under a DDoS attack. Then “Have I Been Pwnd” reported that archive[.]org was hacked. HIBP said the compromise occurred last month and exposed 31 million records containing email addresses, screen names, and bcrypt-hashed passwords.

 

Microsoft warns it lost some customer's security logs for a month
Microsoft says the logging failure was caused by a bug introduced when fixing a different issue in the company's log collection service.
Microsoft began notifying customers that their logging data had not been consistently collected between September 2nd and September 19th. The lost logs include security data commonly used to monitor for suspicious traffic, behavior, and login attempts on a network, increasing the chances for attacks to go undetected. Logging issues were worse for some services, continuing until October 3rd.
The initial change was to address a limit in the logging service, but when deployed, it inadvertently triggered a deadlock-condition when the agent was being directed to change the telemetry upload endpoint in a rapidly changing fashion while a dispatch was underway to the initial endpoint. This resulted in a gradual deadlock of threads in the dispatching component, preventing the agent from uploading telemetry. The deadlock impacted only the dispatching mechanism within the agent with other functionalities working normally, including collecting and committing data to the agent’s local durable cache. A restart of the agent or the OS resolves the deadlock, and the agent uploads data it has within its local cache upon starting. There were situations where the amount of log data collected by the agent was larger than the local agent’s cache limit before a restart occurred, and in these cases the agent overwrote the oldest data in the cache (circular buffer retaining the most recent data, up to the size limit). The log data beyond the cache size limit is not recoverable.

 

HACKING
Fake Google Meet conference errors push infostealing malware
ClickFix is a social-engineering tactic that emerged in May, first reported by cybersecurity company Proofpoint, from a threat actor (TA571) that used messages impersonating errors for Google Chrome, Microsoft Word, and OneDrive
The errors prompted the victim to copy to clipboard a piece of PowerShell code that would fix the issues by running it in Windows Command Prompt.
The threat actors are using fake pages for Google Meet, the video communication service part of Google Workspace suite, popular in corporate environments for virtual meetings, webinars, and online collaboration.
An attacker would send victims emails that appear like legitimate Google Meet invitations related to a work meeting/conference or some other important event.
The URLs closely resemble actual Google Meet links:
meet[.]google[.]us-join[.]com
meet[.]google[.]web-join[.]com
meet[.]googie[.]com-join[.]us
meet[.]google[.]cdm-join[.]us
Once the victim gets on the fake page, they receive a pop-up message informing of a technical issue, such as a microphone or headset problem.
If they click on "Try Fix," a standard ClickFix infection process starts where PowerShell code copied by the website and pasted on the Windows prompt infects their computer with malware, fetching the payload from the 'googiedrivers[.]com' domain.

 

Biz hired, and fired, a fake North Korean IT worker – then the ransom demands began
It's a pattern cropping up more and more frequently: a company fills an IT contractor post, not realizing it's mistakenly hired a North Korean operative. The phony worker almost immediately begins exfiltrating sensitive data, before being fired for poor performance. Then the six-figure ransom demands – accompanied by proof of the stolen files – start appearing.
Secureworks reports that their forensic evidence found free SplitCam virtual video clone software – which can help disguise the fake workers' identity and location – in use on the scammers' laptops. "Based on these observations, it is highly likely that the threat group is experimenting with various methods for accommodating companies' requests to enable video on calls.

 

Chinese Researchers Reportedly Crack Encryption With Quantum Computer
A quantum computer from the Canadian firm D-Wave can effectively crack a popular encryption method. Researchers found it can attack Rivest-Shamir-Adleman (RSA) encryption, which is used by web browsers, VPNs, email services, and chips from brands like Samsung and LG. It can also target the Advanced Encryption Standard (AES).
The researchers used a D-Wave Advantage quantum computer to achieve the "first 50-bit RSA integer decomposition," according to a translation. D-Wave quantum computers can be rented via a quantum cloud service for about $2,000 an hour. The machines themselves are exponentially more expensive (in 2017, a D-Wave quantum computer cost roughly $15 million).
In 2022, Chinese researchers described a potential method to break RSA-2048 encryption, but argued that their method would require "millions of qubits" and therefore was "far beyond current technical capabilities." The D-Wave Advantage, by comparison, has over 5,000 qubits.

 

Here’s how SIM swap in alleged bitcoin pump-and-dump scheme worked
The telephone number at issue in the SIM swap was used to provide two-factor authentication for the SEC X account, which authorized commission personnel to post official communications. One of the people connected to the conspiracy then used the 2FA code to compromise the X account to tweet false information that caused the price of a single bitcoin to increase by $1,000.
“Today, the SEC grants approval for #Bitcoin ETFs for listing on all registered national securities exchanges,” the fraudulent Tweet stated. After the truth emerged that the SEC account had been hijacked and no such approval had occurred, the price of bitcoin fell by $2,000.

 

Invisible text that AI chatbots understand and humans can’t? Yep, it’s a thing.
What if there was a way to sneak malicious instructions into Claude, Copilot, or other top-name AI chatbots and get confidential data out of them by using characters large language models can recognize and their human users can’t? As it turns out, there was—and in some cases still is.
The invisible characters, the result of a quirk in the Unicode text encoding standard, create an ideal covert channel that can make it easier for attackers to conceal malicious payloads fed into an LLM. The hidden text can similarly obfuscate the exfiltration of passwords, financial information, or other secrets out of the same AI-powered bots. Because the hidden text can be combined with normal text, users can unwittingly paste it into prompts. The secret content can also be appended to visible text in chatbot output. The result is a steganographic framework built into the most widely used text encoding channel.

 

LLM attacks take just 42 seconds on average, 20% of jailbreaks succeed
Pillar Security State of Attacks on GenAI report revealed new insights on LLM attacks and jailbreaks, based on telemetry data and real-life attack examples from more than 2,000 AI applications.
Customer service and support-related LLMs were also the most targeted by attacks and jailbreaks, accounting for 25% of all attacks. LLM applications in the energy sector, consultancy services and engineering software industries were also frequently targeted with attacks.
The most common jailbreak technique identified was the “ignore previous instructions” technique.
The second most common was the “strong arm” technique that involves forceful and authoritative statements like “ADMIN OVERRIDE” to convince the chatbot to obey the attacker despite its system guardrails.
The third most prevalent was base64 encoding, in which prompts are encoded in base64 to bypass filters, and the LLM decodes and processes the disallowed content.
Static controls are no longer sufficient in this dynamic AI-enabled world. Organizations must prepare for a surge in AI-targeting attacks by implementing tailored red-teaming exercises and adopting a ‘secure by design’ approach in their GenAI development process.

 

OpenAI confirms threat actors use ChatGPT to write malware
OpenAI has disrupted over 20 malicious cyber operations abusing its AI-powered chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and conducting spear-phishing attacks.

 

North Korean hackers use newly discovered Linux malware to raid ATMs
In the beginning, North Korean hackers compromised the banking infrastructure running AIX, IBM’s proprietary version of Unix. Next, they hacked infrastructure running Windows. Now, the state-backed bank robbers have expanded their repertoire to include Linux. The malware, tracked under the name FASTCash, is a remote access tool that gets installed on payment switches inside compromised networks that handle payment card transactions.
Discovery of the Linux variant further emphasizes the need for adequate detection capabilities which are often lacking in Linux server environments.

 

Unknown drone fleet breached US military base airspace in Virginia for 17 straight days
For several nights last December, U.S. military personnel reported witnessing a fleet of unknown unmanned aircraft breach restricted airspace over a stretch of land at Langley Air Force Base along Virginia's shore.
The drones were roughly 20 feet long and flying at more than 100 miles an hour, at an altitude of roughly 3,000 to 4,000 feet. As many as a dozen or more drones followed, flying across Chesapeake Bay, and then traveling toward Norfolk, Virginia, and through a space overlooking the base for the Navy’s SEAL Team Six and Naval Station Norfolk, the world’s largest naval port. Two months before the drone fleet emerged in Virginia, five mysterious drones reportedly breached restricted airspace over a government nuclear weapons experiment site in Nevada.

 

Ten thousand drone show sets two new records in Shenzhen
A Chinese live event has broken the world record for the ‘largest number of drones flying simultaneously under the control of a single computer’. A total of 10,197 drones took to the sky over Shenzhen on 26 September to mark the upcoming National Day public holiday on 1 October.

 

EDRSilencer red team tool used in attacks to bypass security
Endpoint Detection and Response (EDR) tools are security solutions that monitor and protect devices from cyber threats. EDRSilencer is an open-source tool inspired by MdSec NightHawk FireBlock, a proprietary pen-testing tool, which detects running EDR processes and uses Windows Filtering Platform (WFP) to monitor, block, or modify network traffic on IPv4 and IPv6 communication protocol. WFP is typically used in security products such as firewalls, antivirus, and other security solutions, and filters set in the platform are persistent. With custom rules in place, an attacker can disrupt the constant data exchange between an EDR tool and its management server, preventing the delivery of alerts and detailed telemetry reports.

 

 

European govt air-gapped systems breached using custom malware
Air-gapped systems are used in critical operations, which often manage confidential information, and are isolated from open networks as a protection measure.
In 2022, the hacking group GoldenJackal began using a new Go-based modular toolset that performed traditional USB drive-based but allowed the attackers to task different machines with separate roles.

 

 

 

APPSEC, DEVSECOPS, DEV
Google: 70% of exploited flaws disclosed in 2023 were zero-days
Of the 138 vulnerabilities disclosed as actively exploited in 2023, Mandiant says 97 (70.3%) were leveraged as zero-days. This means that threat actors exploited the flaws in attacks before the impacted vendors knew of the bugs existence or had been able to patch them.
From 2020 until 2022, the ratio between n-days (fixed flaws) and zero-days (no fix available) remained relatively steady at 4:6, but in 2023, the ratio shifted to 3:7. Google explains that this is not due to a drop in the number of n-days exploited in the wild but rather an increase in zero-day exploitation and the improved ability of security vendors to detect it.

 

Tech leaders top security concerns
55.4% still cite phishing as the primary security concern, followed by network intrusion (39.9%) and ransomware (35.1%).
[rG: Note that despite decades of efforts, AI still has not been able to slow spam and phishing.]
34.4% AI-enabled security tools rank as the top priority for the coming year
28.2% Security automation following closely
88.1% have adopted multifactor authentication,
60.1% have implemented endpoint security
49.2% have adopted a zero trust model.
Despite 51.3% of companies requiring certifications for hiring, 40.8% of security team members remain uncertified. This gap is pronounced among incident responders (70% uncertified) but less so for CISOs (33.3% uncertified).
Over 80% of employers mandate continuing education for security professionals, with 32.2% requiring 41 or more hours annually.
38.9% of respondents identified cloud security as the most significant skills shortage.
33.9% of tech professionals report a shortage of artificial intelligence (AI) security skills, particularly around emerging vulnerabilities like prompt injection.

 

Microsoft says more ransomware stopped before reaching encryption
The wider adoption of multi-factor authentication (MFA) is helping to significantly drive down password-based attacks and intrusions, but perpetrators are still finding various ways to bypass it.
Social engineering techniques are still highly effective and given the human element on which they rely, technology alone can't mitigate them entirely.
So, to mitigate the human element of cybercrime as much as possible, the prevalent recommendation right now is to go passwordless and opt for phishing-resistant passkeys instead.
Microsoft opened up the technology to all users earlier this year, having previously restricted it to paying commercial customers. It essentially means that in order to gain access to an account or service, a cybercrim would need access to a user's physical device plus whatever extra protection they set up for that, be it a PIN, face scan, fingerprint, or something else.
The idea is that it's more secure than having to remember a password and it would eliminate the possibility of being socially engineered to enter valid credentials in an attacker-controlled website, for example.

 

CISA and FBI Release Joint Guidance on Product Security Bad Practices for Public Comment
While this guidance is intended for software manufacturers who develop software products and services in support of critical infrastructure, all software manufacturers are strongly encouraged to avoid these product security bad practices.
As outlined in CISA’s Secure by Design initiative, software manufacturers should ensure that security is a core consideration from the onset of software development. This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs) and provides recommendations for software manufacturers to mitigate these risks.
Product Properties
• Development in Memory Unsafe Languages (CWE[1]-119 and related weaknesses)
• Inclusion of User-Provided Input in SQL Query Strings (CWE-89)
• Inclusion of User-Provided Input in Operating System Command Strings (CWE-78)
• Presence of Default Passwords (CWE-1392 and CWE-1393)
• Presence of Known Exploited Vulnerabilities
• Presence of Open Source Software with Known Exploitable Vulnerabilities
Security Features
• Lack of Multifactor Authentication
• Lack of Capability to Gather Evidence of Intrusions
Organizational Processes and Policies
• Failing to Publish Timely CVEs with CWEs
• Failing to Publish a Vulnerability Disclosure Policy

 

CISA Guidance: Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)
This document, the third edition, further defines and clarifies SBOM Attributes from the 2021 Framing Software Component Transparency document, offering descriptions of the minimum expected, recommended practices, and aspirational goal for each Attribute. The work reflected in this document is a product of extensive discussion in the SBOM Tooling and Implementation Working Group, a Cybersecurity and Infrastructure Security Agency (CISA) community-driven workstream, and feedback from across the software community.

 

Acronym Overdose – Navigating the Complex Data Security Landscape
Common regulatory frameworks that drive data security
• HIPAA - The Health Insurance Portability and Accountability Act (HIPAA) sets out specific standards around the privacy and security of patients and health data. These standards include how sensitive patient data must be stored, protected, and shared.
• PCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is a security standard established by credit card companies (Visa, mastercard, American Express etc.) to establish what security standards companies must meet to process and store credit card data.
• NIST 800-171 - The National Institute of Standards and Technology (NIST) operates many regulatory standards for organizations that wish to work with the federal government. NIST 800-171 governs how private entities must process, store, or transmit controlled-unclassified information (CUI) in order to do privileged work for the government.

 

 VENDORS & PLATFORMS
Copilot's crudeness has left Microsoft chasing Google, again
A year ago it looked as if the world could be Microsoft's oyster. The software giant dominated the enterprise, was catching up to cloudy rivals, and then managed to purchase forty-nine percent of the for-profit subsidiary of ChatGPT creator OpenAI.
Having secured a stake in the leading purveyor of generative AI, it started to build it into products that attracted enormous attention, like Bing. Microsoft dangled the enticing prospect that its long-suffering search services could improve to the point at which they would challenge arch-rival Google. It hasn't happened.
Microsoft's missteps started in May 2023 when it launched a company-wide strategy that could have been titled "Copilot all the things!" Windows 11 got a Copilot assistant and a Copilot key. Edge got a Copilot panel, while Microsoft 365 got the full treatment.
Having Word or Outlook write for you, or PowerPoint create slideware on your behalf, is nice in theory. But few have adopted those features, or learned how to make them save the sort of time that would justify the investment.
Though Copilot is touted as an ideal assistant to help with calculations, Excel users quickly learned that a language model trained on billions of words of English has no effective grasp of the very different paradigm of a spreadsheet. Yes, Copilot can compose a quick formula, but it can't operate within the context of a worksheet with anything like Word's facility to parse the meaning of a text document.
But Google may have a killer app worth the effort: the NotebookLM, which looks to be the first RAG tool that can really help enterprises find the needles in the haystacks of their documents. NotebookLM is marvelously simple. Feed it documents and it will let you query them with prompts. Results are pleasing, and arrive swiftly. Ingestion tools could be better, but the results are strong enough to make it worth the effort.

 

New FIDO proposal lets you securely move passkeys across platforms
Passkeys are a method of authentication without a password that leverages public-key cryptography to authenticate users without requiring them to remember or manage long strings of characters.
FIDO reports that sign-ins have gotten 75% faster and 20% more successful than password-based authentications, highlighting the benefits of this new technology.

 

Amazon says 175 million customers now use passkeys to log in
“We're excited to share that more than 175 million customers have enabled passkeys on their Amazon accounts, allowing them to sign in six-times faster than they could otherwise.”

 

Trump campaign arms up with 'unhackable' phones after Iranian intrusion
Military kit supplier Green Hills Software has equipped Trump's team with supposedly unhackable phones and computers as the campaign attempts to avoid a repeat of earlier incidents where pro-Iranian attackers managed to steal emails and other data from the crew. The provider claims its software is impervious to any intrusion attempts and has also offered the technology to the Harris campaign team.
The kit uses the Green Hills Integrity-178B operating system, which is used on the stealth B-2 bomber, F-22, and F-35 fighters, and appears to be one of the only commercially available OSes certified to Evaluation Assurance Level 6. The company says its security comes from tight coding and locking down absolutely everything it can to minimize the opportunities for intrusion.
The entire operating system of the devices operates on around 10,000 lines of code that are penetration tested by a team incentivized to find bugs.

 

 

Android 15’s security and privacy features are the update’s highlight
In the Android 15 settings, you can find "Private Space," where you can set up a separate PIN code, password, biometric check, and optional Google account for apps you don't want to be available to anybody who happens to have your phone.
A new permission, likely to be given only to the most critical apps, prevents the leaking of one-time passcodes (OTPs) to other apps waiting for them. Sharing your screen will also hide OTP notifications, along with usernames, passwords, and credit card numbers.
Theft Detection Lock on Android uses AI to sense if someone has yanked a phone and is rapidly moving away with it, automatically locking the phone if so.
Android 15 can tell users when they're using an unencrypted cellular connection to prevent potential interception or injection of their traffic or SMS messages.
And more.

 

 

 

LEGAL & REGULATORY
Two accused of DDoSing some of the world’s biggest tech companies
Federal authorities have charged two Sudanese nationals with running an operation that performed tens of thousands of distributed denial of service (DDoS) attacks against some of the world’s biggest technology companies, as well as critical infrastructure and government agencies.
The service, branded as Anonymous Sudan, directed powerful and sustained DDoSes against Big Tech companies, including Microsoft, OpenAI, Riot Games, PayPal, Steam, Hulu, Netflix, Reddit, GitHub, and Cloudflare. Other targets included CNN[.]com, Cedars-Sinai Medical Center in Los Angeles, the US departments of Justice, Defense and State, the FBI, and government websites for the state of Alabama. Other attacks targeted sites or servers located in Europe.
Two brothers, Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, were both charged with one count of conspiracy to damage protected computers. Ahmed Salah was also charged with three counts of damaging protected computers. Among the allegations is that one of the brothers attempted to “knowingly and recklessly cause death.” If convicted on all charges, Ahmed Salah would face a maximum of life in federal prison, and Alaa Salah would face a maximum of five years in federal prison.

 

People are fleeing 23andMe. It's trickier than they realize.
Once a super popular tool for people wanting to research their ancestry, genetic testing company 23andMe is floundering, with copious losses and a rock-bottom stock price.
There’s no information more personal than your DNA. It is like a Social Security number, it can’t be changed.
23andMe makes it easy to feel like you’ve protected your genetic footprint. In their account settings, customers can download versions of their data to a computer and choose to delete the data attached to their 23andMe profile. An email then arrives with a big pink button: “Permanently Delete All Records.” Doing so, it promises, will “terminate your relationship with 23andMe and irreversibly delete your account and Personal Information.” But there’s another clause in the email that conflicts with that “terminate” promise. It says 23andMe and whichever contracted genotyping laboratory worked on a customer’s samples will still hold on to the customer’s sex, date of birth and genetic information, even after they’re “deleted.” The reason? The company cites “legal obligations,” including federal laboratory regulations and California lab rules. The federal program, which sets quality standards for laboratories, requires that labs hold on to patient test records for at least two years; the California rule, part of the state’s Business and Professions Code, requires three.

 

California Enacts Health AI Bill and Protections for Neural Data
AB 3030 requires a health facility, clinic, physician’s office, or office of a group practice that uses generative AI to generate written or verbal patient communications pertaining to patient clinical information to provide certain disclosures to patients.
In particular, AB 3030 requires the provision of “[a] disclaimer that indicates to the patient that the communication was generated by generative artificial intelligence.” This disclaimer must be provided in a specific format, depending on the method through which the AI is interacting with the patient:
For written communications involving physical and digital media (e.g., letters, emails), the disclaimer must appear prominently at the beginning of each communication;
For written communications involving continuous only interactions (e.g., chat-based telehealth), the disclaimer must be prominently displayed through the interaction;
For audio communications, the disclaimer must be provided verbally at the start and the end of the interaction; and
For video communications, the disclaimer must be prominently displayed throughout the interaction.
In addition, regardless of the method of communication, AB 3030 requires that the AI-generated patient communications pertaining to patient clinical information include clear instructions describing how a patient may contact a health care provider, employee of the health facility, clinic, physician’s office, or office of a group practice, or other appropriate person.
However, AB 3030 does not apply to all patient communications that are generated using AI. AI-generated communications that are read and reviewed by a human licensed or certified health care provider are not subject to these disclosure requirements in AB 3030. In addition, AB 3030 does not regulate the use of AI for administrative matters. AB 3030 applies only to communications pertaining to “patient clinical information,” which means “information relating to the health status of a patient . . . [and] does not include administrative matters, including, but not limited to, appointment scheduling, billing, or other clerical or business matters.”

 

Open-source AI definition finally gets its first release candidate - and a compromise
The OSI, the open-source definition steward organization, has been working on creating an open-source artificial intelligence definition for two years now. The group has been making progress, though. Its Open Source AI Definition has now released its first release candidate, RC1.
It specifies four fundamental freedoms that an AI system must grant to be considered open source:
the ability to use the system for any purpose without permission,
to study how it works,
to modify it for any purpose, and
to share it with or without modifications.
However, the OSI has opted for a compromise regarding training data. Recognizing it's not easy to share full datasets, the current definition requires "sufficiently detailed information about the data used to train the system" rather than the full dataset itself. This approach aims to balance transparency with practical and legal considerations. That last phrase is proving difficult for some people to swallow. From their perspective, if all the data isn't open, then AI large language models (LLM) based on such data can't be open-source.