Robert Grupe's AppSecNewsBits 2024-08-03

Software Development Security Epic Fails: Meta AI, Cloudflare, CrowdStrike, VMWare, Cencora, National Public Data, HealthEquity, DigiCert, UK Electoral Commission, Japan National IDs

Author

Robert Grupe
August 03, 2024

EPIC FAILS in Application Development Security practice processes, training, implementation, and incident response
Dark Angels ransomware receives record-breaking $75 million ransom
The largest known ransom payment was previously $40 million, which insurance giant CNA paid after suffering an Evil Corp ransomware attack.
While Zscaler did not share what company paid the $75 million ransom, they mentioned the company was in the Fortune 50 and the attack occurred in early 2024. One Fortune 50 company that suffered a cyberattack in February 2024 is pharmaceutical giant Cencora, ranked #10 on the list. No ransomware gang ever claimed responsibility for the attack, potentially indicating that a ransom was paid.
Dark Angels utilizes the "Big Game Hunting" strategy, which is to target only a few high-value companies in the hopes of massive payouts rather than many companies at once for numerous but smaller ransom payments. Dark Angels operators breach corporate networks and move laterally until they eventually gain administrative access. During this time, they also steal data from compromised servers, which is later used as additional leverage when making ransom demands. When they gain access to the Windows domain controller, the threat actors deploy the ransomware to encrypt all devices on the network. When the threat actors launched their operation, they used Windows and VMware ESXi encryptors based on the leaked source code for the Babuk ransomware. However, over time, they switched to a Linux encryptor.

 

Personal Data of 3 Billion People Stolen in Hack, Suit Says
On April 8, a cybercriminal group by the name of USDoD posted a database entitled “National Public Data” on a dark web forum, claiming to have the personal data of 2.9 billion people, according to the complaint filed Thursday in the US District Court for the Southern District of Florida, which said the group put the database up for sale for $3.5 million. If confirmed, the breach could be among the biggest ever, in terms of the number of individuals affected.
To conduct its business, National Public Data scrapes the personally identifying information of billions of individuals from non-public sources—meaning plaintiffs didn’t knowingly provide their data to the company. It’s unclear exactly when or how the breach occurred, according to the complaint, and the provider still hasn’t provided notice or warning to affected individuals.

 

HealthEquity data breach affects 4.3M people
HealthEquity is notifying 4.3 million people following a March data breach that affects their personal and protected health information.
In its data breach notice, HealthEquity said it discovered the data breach after finding unauthorized access in an “unstructured data repository” outside of its core network that contained customers’ personal and health information.
The compromised third-party vendor account had access to some of HealthEquity’s SharePoint data.
HealthEquity has published a data breach notification on its website. When TechCrunch checked the website notice, HealthEquity had included hidden “noindex” code on the page that tells search engines to ignore the web page, effectively blocking affected individuals from finding HealthEquity’s data breach notice in search results.

 

CrowdStrike sued by shareholders over global outage
CrowdStrike is being sued by its shareholders after a faulty software update by the cybersecurity firm crashed more than eight million computers and caused chaos around the world. The suit filed in the Austin, Texas federal court, alleges that CrowdStrike executives defrauded investors by making them believe the company's software updates were adequately tested. It also says the company's share price dropped 32% in the 12 days after the incident, causing a loss in market value of $25bn.
Microsoft CloudStrike Incident Analysis: Windows Security best practices for integrating and managing security tools
Examination of the recent CrowdStrike outage and provide a technical overview of the root cause, explanation why security products use kernel-mode drivers today and the safety measures Windows provides for third-party solutions, how customers and security vendors can better leverage the integrated security capabilities of Windows for increased security and reliability, and a look into how Windows will enhance extensibility for future security products.

 

Hackers exploit VMware vulnerability that gives them hypervisor admin
Escalating hypervisor privileges on ESXi to unrestricted admin was as simple as creating a new domain group named “ESX Admins.” From then on, any user assigned to the group—including newly created ones—automatically became admin, with no authentication necessary.
Attackers affiliated with multiple ransomware syndicates—including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest—have been exploiting the flaw for months in numerous post-compromise attacks, meaning after the limited access has already been gained through other means. [rG: Or by malicious insiders.]
Full administrative control of the hypervisor gives attackers various capabilities, including encrypting the file system and taking down the servers they host. The hypervisor control can also allow attackers to access hosted virtual machines to either exfiltrate data or expand their foothold inside a network. VMware parent company Broadcom has now provided a patch for the vulnerability.

 

DigiCert Revoking Certs With Less Than 24 Hours Notice
DigiCert says it discovered that some CNAME-based validations did not include the required underscore prefix, affecting about 0.4% of their domain validations. According to CA/Browser Forum (CABF) rules, certificates with validation issues must be revoked within 24 hours, prompting DigiCert to take immediate action. Due to a mistake going back years that has recently been discovered, DigiCert is required by the CABF to revoke any certificate that used the improper Domain Control Validation (DCV) CNAME record in 24 hours. This could literally be thousands of SSL certs. This could take a lot of time and potentially cause outages worldwide.

 

UK Electoral Commission slapped for basic cybersecurity fails
Among the failings that led to the attack, and the 13 months it took the Electoral Commission to detect any malicious activity, was an ineffective patching regime that failed to identify multiple vulnerabilities, including ProxyShell, which facilitated the data breach. Defenders reading this will probably remember that Microsoft issued patches for ProxyShell in March and April 2021, months before the attack actually began.
The Commission was also found guilty of using default passwords and failing to deploy appropriate password management policies across the organization. Following a post-incident audit of passwords at the body, 178 were cracked in "rapid" time because they were identical or similar to those issued when the accounts were created.
The key takeaways, however, are that Chinese state-sponsored attackers had access to around 40 million UK voters' names and home addresses for 13 months without being detected, and that's all due to insufficient basic security controls at the Electoral Commission.

 

Japan mandates app to ensure national ID cards aren't forged
Beginning in 2015, every resident of Japan was assigned a 12 digit My Number that paved the way for linking social security, taxation, disaster response and other government services to both the number itself and a smartcard.
The plan was to banish bureaucracy and improve public service delivery – but that didn't happen. My Number Card ran afoul of data breaches, reports of malfunctioning card readers, and database snafus that linked cards to other citizens' bank accounts. Public trust in the scheme fell, and adoption stalled. Now, according to Japan's Digital Ministry, counterfeit cards are proliferating to help miscreant purchase goods – particularly mobile phones – under fake identities.
Digital minister Taro Kono yesterday presented his solution to the counterfeits: a soon to be mandatory app that confirms the legitimacy of the card.

 

HACKING

Meta's AI safety system defeated by the space bar
Meta's machine-learning model for detecting prompt injection attacks – special prompts to make neural networks behave inappropriately – is itself vulnerable to, you guessed it, prompt injection attacks. It turns out Meta's Prompt-Guard-86M classifier model can be asked to "Ignore previous instructions" if you just add spaces between the letters and omit punctuation.
A bug hunter found the safety bypass when analyzing the embedding weight differences between Meta's Prompt-Guard-86M model and Redmond's base model, microsoft/mdeberta-v3-base.
The fine-tuning process had minimal effect on single English language characters. As a result, he was able to devise an attack. The bypass involves inserting character-wise spaces between all English alphabet characters in a given prompt. This simple transformation effectively renders the classifier unable to detect potentially harmful content.
The finding is consistent with a post the security org made in May about how fine-tuning a model can break safety controls.

 

Ferrari Exec Targeted By AI Deepfake Scammers Posing As CEO
It all began with a series of WhatsApp messages from someone posing as Ferrari’s CEO. The messages, seeking urgent help with a supposed classified acquisition, came from a different number but featured a profile picture of Vigna standing in front of the Ferrari emblem. Following the text messages, the executive received a phone call featuring a convincing impersonation of Vigna’s voice, complete with the CEO’s signature southern Italian accent. The caller claimed to be using a different number due to the sensitive nature of the matter and then requested the executive execute an “unspecified currency hedge transaction”.
The oddball money request, coupled with some “slight mechanical intonations” during the call, raised red flags for the Ferrari executive. He retorted, “Sorry, Benedetto, but I need to verify your identity,” and quizzed the CEO on a book he had recommended days earlier. Unsurprisingly, the impersonator flubbed the answer and ended the call in a hurry.

 

Burglars are jamming Wi-Fi security cameras — here’s what you can do
If they’re smart enough to use Wi-Fi jammers, they’re smart enough to use alternate means of avoiding detection—like cutting power to the entire house, thus nullifying the advantages of a wired camera system. The police also suggest adding a padlock to your electrical circuit box, but that’s not going to stop someone with $30 bolt cutters. But if you want extra peace of mind without the expense of a full wired camera system, get a camera with built-in storage and a battery. As long as it isn’t within reach and easily accessible, it should provide you with a visual record of any break-in.

 

Cyberattack hits blood-donation nonprofit OneBlood
OneBlood serves hospitals in Alabama, Florida, Georgia, and North and South Carolina. “We have implemented manual processes and procedures to remain operational. Manual processes take significantly longer to perform and impacts inventory availability. In an effort to further manage the blood supply we have asked the more than 250 hospitals we serve to activate their critical blood shortage protocols and to remain in that status for the time being.”

 

Cybercriminals Abusing Cloudflare Tunnels to Evade Detection and Spread Malware
Cybersecurity companies are warning about an uptick in the abuse of Clouflare's TryCloudflare free service for malware delivery.
Attack chains taking advantage of this technique have been observed delivering a cocktail of malware families such as AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm.
A key element of their strategy was using direct syscalls to bypass security monitoring tools, decrypting layers of shellcode, and deploying the Early Bird APC queue injection to stealthily execute code and evade detection effectively.

 Cloudflare once again comes under pressure for enabling abusive sites
The content delivery network that provides a free service that protects websites from being taken down in denial-of-service attacks by masking their hosts. With Cloudflare helping deliver 16 percent of global Internet traffic, processing 57 million web requests per second, and serving anywhere from 7.6 million to 15.7 million active websites, the decision to serve just about any actor, regardless of their behavior, has been the subject of intense disagreement, with many advocates of free speech and Internet neutrality applauding it and people fighting crime and harassment online regarding it as a pariah.
Spamhaus—a nonprofit organization that provides intelligence and blocklists to stem the spread of spam, phishing, malware, and botnets—has become the latest to criticize Cloudflare. On Tuesday, the project said Cloudflare provides services for 10 percent of the domains listed in its domain block list and, to date, serves sites that are the subject of more than 1,200 unresolved complaints regarding abuse.

 

StackExchange abused to spread malicious PyPi packages as answers
Threat actors uploaded malicious Python packages to the PyPI repository and promoted them through the StackExchange online question and answer platform. The packages are named ‘spl-types,’ ‘raydium,’ ‘sol-structs,’ ‘sol-instruct,’ and ‘raydium-sdk’ and download scripts that steal sensitive data from the browser, messaging apps (Telegram, Signal, Session), and cryptocurrency wallet details (Exodus, Electrum, Monero). The info-stealing malware can also exfiltrate files with specific keywords as well as take screenshots, and sends all the data to a Telegram channel.
 

Don’t Let Your Domain Name Become a “Sitting Duck”
There are currently about one million Sitting Duck domains, and that at least 30,000 of them have been hijacked for malicious use since 2019. A domain can become lame in a variety of ways, such as when it is not assigned an Internet address, or because the name servers in the domain’s authoritative record are misconfigured or missing. The reason lame domains are problematic is that a number of Web hosting and DNS providers allow users to claim control over a domain without accessing the true owner’s account at their DNS provider or registrar. Commandeering domains this way also can allow thieves to impersonate trusted brands and abuse their positive or at least neutral reputation when sending email from those domains. A number of compromised Sitting Duck domains were originally registered by brand protection companies that specialize in defensive domain registrations (reserving look-alike domains for top brands before those names can be grabbed by scammers) and combating trademark infringement.
It’s easy to exploit, very hard to detect, and it’s entirely preventable.
How does one know whether a DNS provider is exploitable? There is a frequently updated list published on GitHub called “Can I take over DNS”.

 

Mysterious family of malware hid in Google Play for years
One means of obfuscation was to move malicious functionality to native libraries, which were obfuscated. Previously, Mandrake stored the malicious logic of the first stage in what’s known as the application DEX file, a type of file that’s trivial to analyze. By switching the location to the native library libopencv_dnn[.]so, the Mandrake code is harder to analyze and detect because the native libraries are more difficult to inspect. By then obfuscating the native library using the OLLVM obfuscator, Mandrake apps were even more stealthy.

 

Attacks on Bytecode Interpreters Conceal Malicious Injection Activity
Interpreters take human-readable software code and translate each line into bytecode — granular programming instructions understood by the underlying, often virtual, machine. The research team successfully inserted malicious instructions into the bytecode held in memory prior to execution, and because most security software does not scan bytecode, their changes escaped detection.
The NTT Security researchers noted that checksum defenses would not likely be effective against their techniques and recommend that developers enforce write protections to help eliminate the risk.

 

Akamai report reveals 65% rise in API & app attacks in APJ
A recent report from Akamai Technologies highlights a substantial increase in web attacks targeting APIs and applications in the Asia-Pacific and Japan (APJ) region. According to the "Digital Fortresses Under Siege: Threats to Modern Application Architectures" report, these attacks rose by 65% from the first quarter of 2023 through the first quarter of 2024, reaching an 18-month high. This surge has significantly impacted countries across APJ, with Australia experiencing 14.6 billion attacks, India 12 billion, and Singapore 10.7 billion.
High technology, commerce, and social media were the top three targeted industries in Layer 7 DDoS attacks, with over 11 trillion attacks globally within 18 months. The APJ region alone faced 5.1 trillion of these attacks.

 

APPSEC, DEVSECOPS, DEV
Escalating Data Breach Disruption Pushes Costs to New Highs
IBM released its annual Cost of a Data Breach Report revealing the global average cost of a data breach reached $4.88 million in 2024. Breach costs increased 10% from the prior year, the largest yearly jump since the pandemic, as 70% of breached organizations reported that the breach caused significant or very significant disruption. Some key findings in the 2024 IBM report include:

  • Data Visibility Gaps
    Forty percent of breaches involved data stored across multiple environments including public cloud, private cloud, and on-prem. These breaches cost more than $5 million on average and took the longest to identify and contain (283 days).

  • Understaffed Security Teams
    More organizations faced severe staffing shortages compared to the prior year (26% increase) and observed an average of $1.76 million in higher breach costs than those with low level or no security staffing issues.

  • AI-Powered Prevention Pays Off
    Two out of three organizations studied are deploying security AI and automation across their security operation center (SOC). When these technologies were used extensively across prevention workflows organizations incurred an average $2.2 million less in breach costs, compared to those with no use in these workflows – the largest cost savings revealed in the 2024 report.

Other key findings in the 2024 Cost of a Data Breach Report include:

  • Stolen credentials topped initial attack vectors
    At 16%, stolen/compromised credentials was the most common initial attack vector. These breaches also took the longest to identity and contain at nearly 10 months.

  • Critical infrastructure organizations see highest breach costs
    Healthcare, financial services, industrial, technology and energy organizations incurred the highest breach costs across industries. For the 14th year in a row, healthcare participants saw the costliest breaches across industries with average breach costs reaching $9.77 million.

 

CISA: AI Tools Give Feds 'Negligible' Security Improvements
The Cybersecurity and Infrastructure Security Agency conducted an operational pilot to assess whether AI-powered federal vulnerability detection software is more effective than traditional technologies at identifying vulnerabilities in government systems and networks. The agency evaluated products that became federally available starting in 2023, focusing on the latest AI technologies, including software using large language models.
The agency found that AI tools "can be unpredictable in ways that are difficult to troubleshoot" and in some cases require a substantial amount of time to teach analysts new capabilities. The incremental improvement gained may be negligible."

 

CISA: With Open Source Artificial Intelligence, Don’t Forget the Lessons of Open Source Software
Operators of package repositories in the AI ecosystem – such as platforms that distribute AI source code, models, weights, or training data – should work towards the items in the Principles for Package Repository Security framework and think about what unique considerations might apply. Tool developers should begin incorporating traceability and artifact composition analysis techniques. Model developers should include diverse viewpoints early and throughout the development lifecycle, ensuring that trust and safety is a core consideration during model development.

 

How ASPM Solutions Help Organizations Prepare for the EU’s DORA
Like the U.S. National Cybersecurity Strategy, DORA prioritizes digital resilience over specific vulnerabilities. The European Union’s Digital Operational Resilience Act (DORA), passed in late 2022, is set to take full effect by early 2025. DORA establishes new cybersecurity standards for financial institutions operating and doing business in the European Union (EU), given their heavy reliance on information and communications technology (ICT). Recognizing the systemic risks posed by ICT, DORA aims to safeguard financial firms, their customers, and the broader financial ecosystem from cyberattacks.
DORA specifies five areas on which financial institutions must focus to achieve digital resilience and meet the requirements:

  1. ICT risk management

  2. ICT incident reporting requirements

  3. Digital resilience testing requirements

  4. ICT third-party risk management

  5. Information sharing and ongoing learning

How does DORA impact AppSec?

  • Financial institutions must implement processes and tooling that provide centralized, unified application security management, from code to cloud and from cloud to code.

  • To ensure digital resilience, DORA necessitates a broader view of vulnerabilities, which means companies must understand their entire application security posture, including software composition analysis, code integrity, artifact integrity, secrets security, API security, and more.

  • The regulation mandates regular testing to identify vulnerabilities and ensure resilience. Application-specific testing should be ongoing and continuous to verify that even small changes in applications don’t introduce new vulnerabilities.

  • Financial institutions must assess and manage the security risks posed by third-party components (libraries, open-source code), dependencies, and APIs. ASPM tools and processes should incorporate all the elements to identify, investigate, and remediate all app-related issues in one solution, helping reduce risk and align with DORA requirements..

  • To remain in line with DORA’s requirements, security programs must be designed to facilitate effective incident response and recovery. AppSec and DevOps programs are no exception to this rule. Application Security Posture Management (ASPM) fills this need by automating issue identification and remediation and by eliminating formerly cumbersome, manual AppSec practices.

 

What Is Application Detection and Response (ADR)?
Application detection and response (ADR) is an emerging cybersecurity category that focuses on application visibility, protection, and remediation. ADR is a comprehensive and proactive approach to application security that incorporates automation, prioritization, contextual analysis, and allows security and development teams to facilitate enhanced threat detection and incident response.

 

The Fall of the National Vulnerability Database
The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) currently is the most widely used software vulnerability database in the world, with many scanners, analysts, and vendors depending on it daily to determine what software has been affected by a vulnerability. Yet, it recently was revealed that NIST has not enriched vulnerabilities listed in the NVD since Feb. 12 — meaning anyone relying on these reports potentially has been at risk for months.
Since its inception nearly 25 years ago, three key factors have impacted the NVD's ability to sufficiently classify security concerns that help the industry prioritize vulnerabilities — and what we're experiencing now is the result.

  1. Credit seeking contributors from inexperienced researchers has lead to low quality reports.

  2. The globalization of the Internet enabled researchers worldwide to partake in, and potentially impact, the industry in a meaningful way. It was no longer just a handful of seasoned researchers from select regions being credited with CVEs, and this second wave of people seeking recognition further increased the number of low-quality reports.

  3. In response to the above, bug bounties emerged as an incentive for researchers to disclose vulnerabilities to vendors rather than use them to do harm; which quickly became a numbers game. Rather than focusing on doing good work and gaining credit for it, this third cohort focused on pushing out as many reports as possible with as little effort as possible, hoping a few would hit a bounty payout so they could cash the check and move on.

 

How to Prepare to Implement a Technically Driven Security Model
The main benefits of integrating robotics into security management include cost-efficiency and a data-driven approach to security. Robots can deliver security services faster and are particularly valuable in markets with high labor costs. They also enhance asset protection by providing agility in large or challenging environments. Additionally, robotic security systems generate data that can feed into a business's security risk management processes, thereby increasing security maturity through artificial intelligence (AI) integration.

  1. Develop a security activity list and map human-based activities to robotic systems.

  2. Gather data on patterns, requirements, and cost implications.

  3. Analyze governance, processes, manuals, and post orders to identify activities suitable for automation.

  4. Identify life safety risks and cover physical challenges for human workers.

  5. Conduct data acquisition and long-term analytics for anomaly detection.

  6. Consider global or regional security requirements for remote access to security activities.

 

DARPA suggests turning old C code automatically into Rust – using AI, of course
"After more than two decades of grappling with memory safety issues in C and C++, the software engineering community has reached a consensus. Relying on bug-finding tools is not enough."

 

NIST unveils new open source platform for AI safety assessments
The freely-downloadable tool, called Dioptra, is designed to help artificial intelligence developers understand some unique data risks with AI models, and to help them "mitigate those risks while supporting innovation."
The goal is to help healthcare and other organizations better understand their AI software, and assess how well it fares in the face of a "variety of adversarial attacks," according to NIST.
Beyond unveiling the Dioptra platform, NIST's AI Safety Institute this past week also released new draft guidance on Managing Misuse Risk for Dual-Use Foundation Models.
Additionally, NIST also published three finalized documents around AI safety, focused on mitigating the risks of generative AI, reducing threats to the data used to train AI systems and global engagement on AI standards.

 

Plug Security Holes in React Apps That Can Lead to API Exploitation
The Traceable ASPEN team continues to discover a common anti-pattern in single-page applications: the underlying server-side API does not properly authenticate users, or authentication is missing entirely. These APIs are often developed alongside the client-side application, and developers usually think the security implemented on the client will provide enough protection.

 

 

Is Modern Software Development Mostly 'Junky Overhead'?
I read a post recently where someone bragged about using Kubernetes to scale all the way up to 500,000 page views per month. But that's 0.2 requests per second. I could serve that from my phone, on battery power, and it would spend most of its time asleep. In modern computing, we tolerate long builds, and then Docker builds, and uploading to container stores, and multi-minute deploy times before the program runs, and even longer times before the log output gets uploaded to somewhere you can see it, all because we've been tricked into this idea that everything has to scale. People get excited about deploying to the latest upstart container hosting service because it only takes tens of seconds to roll out, instead of minutes. But on my slow computer in the 1990s, I could run a perl or python program that started in milliseconds and served way more than 0.2 requests per second, and printed logs to stderr right away so I could edit-run-debug over and over again, multiple times per minute.
Our tower of complexity is now so tall that we seriously consider slathering LLMs on top to write the incomprehensible code in the incomprehensible frameworks so we don't have to.

 

 

VENDORS & PLATFORMS

The other shoe drops on generative AI
On Alphabet’s recent earnings call, CEO Sundar Pichai touted widespread adoption of Google Cloud’s generative AI solutions, but with a caveat—and a big one. “We are driving deeper progress on unlocking value, which I’m very bullish will happen. But these things take time.” The TL;DR? There’s a lot of generative AI tire-kicking, and not much adoption for serious applications that generate revenue.
But while the OSI and others are trying to committee their way to an updated Open Source Definition (OSD), powerful participants like Meta are releasing industry-defining models, calling them “open source,” and not remotely caring when some vocally chastise them for affixing a label that doesn’t seem to fit the OSD. In fact, basically none of today’s models are “open source” in the way we’ve traditionally considered the term.

 

Dashlane says passkey adoption has increased by 400 percent in 2024
Password manager Dashlane has released a new passkey report that gives us some idea of how many people are adopting the cryptographic passwordless logins. Over 100 sites now offer passkey support, though Dashlane says the top 20 most popular apps account for 52 percent of passkey authentications. When split into industry sectors, e-commerce (which includes eBay, Amazon, and Target) made up the largest share of passkey authentications at 42 percent. So-called “sticky apps” — meaning those used on a frequent basis, such as social media, e-commerce, and finance or payment sites — saw the fastest passkey adoption between April and June of this year.

 

 

 

Microsoft and Stanford University Researchers Introduce Trace: A Groundbreaking Python Framework Poised to Revolutionize the Automatic Optimization of AI Systems
Microsoft Research and Stanford University researchers propose a framework called Trace to automate the design and updating of AI systems like coding assistants and robots. Trace treats the computational workflow as a graph, similar to neural networks, and optimizes heterogeneous parameters using Optimization with Trace Oracle (OPTO). Trace efficiently converts workflows into OPTO instances, allowing a general-purpose optimizer, OptoPrime, to update parameters based on execution traces and feedback iteratively. This approach enhances optimization efficiency across various domains, outperforming specialized optimizers in tasks like prompt optimization, hyper-parameter tuning, and robot controller design.

 

 LEGAL & REGULATORY
U.S. Trades Cybercriminals to Russia in Prisoner Swap
Russia has reportedly released 16 prisoners, including Wall Street Journal reporter Evan Gershkovich and ex-U.S. Marine Paul Whelan.
Roman Seleznev, 40, who was sentenced in 2017 to 27 years in prison for racketeering convictions tied to a lengthy career in stealing and selling payment card data. Seleznev earned this then-record sentence by operating some of the underground’s most bustling marketplaces for stolen card data.
Vladislav Klyushin, a 42-year-old Muscovite sentenced in September 2023 to nine years in prison for what U.S. prosecutors called a “$93 million hack-to-trade conspiracy.” Klyushin and his crew hacked into companies and used information stolen in those intrusions to make illegal stock trades.

 

Court Dismisses Most of SEC’s Claims Against SolarWinds
The case, which has been closely followed, is the first in which the SEC has charged a CISO individually in connection with alleged cybersecurity violations and the first in which it has charged scienter-based securities fraud in connection with a cybersecurity breach. The case also represents a rare instance in which a company has challenged the SEC’s expansive reading of its authority to charge a violation of the “internal accounting controls” provision of the Securities Exchange Act of 1934 (the “Exchange Act”) based on an alleged failure of internal corporate controls—in this case, cybersecurity controls—not limited to financial accounting.
The court allowed only the subset of claims alleging that the “Security Statement” on the company’s website was materially false to survive.

 

And Now For Something Completely Different …
Have you thought about cloning yourself to get all your work done?
Do you sometimes wish you could just clone yourself to get all your work done? Well, companies in China now offer to do that. They create digital avatars of real people using generative AI.
There is a 28-year-old live streamer Wang Xue'er, online advertising mooncakes. But hold on, on another e-commerce channel, she's also simultaneously selling a toaster. How is that possible? Turns out, the real flesh and blood Wang is actually sitting in a studio, telling the digital versions of herself what to say for the next day's live streaming. And all those other online versions of her, some of them are avatars generated by artificial intelligence. She says she used to livestream four to six hours a day, talking nonstop in front of a camera and engaging with customers asking questions. Then Wang's marketing agency turned to Silicon Intelligence. That's an AI company based in the city of Nanjing who digitally copied Wang. And now she can run five to 10 e-commerce livestreams at a time.

AI avatars may soon be attending meetings for us and that sure feels like a slippery slope towards an AI future none of us want
A recent Microsoft ad claims that thanks to Copilot, you, I, and indeed all of us can attend multiple meetings at once. This caused some degree of online confusion, but swiping through the ad reveals that the feature Microsoft is touting is Copilot's ability to summarise meetings on your behalf. Seems reasonably useful, that. It's not quite attending "three meetings at once", however, as the ad claims, unless it means that reading a Copilot-based summary after the fact is the same as attending.
Zoom Workplace—a new collaboration platform from the video conferencing giant—involves deploying an AI assistant to go to meetings for you. And more than that, in the near future, we could all send our AI digital assistants to have meetings with each other. "Today for this session, ideally, I do not need to join. I can send a digital version of myself to join so I can go to the beach. Or I do not need to check my emails; the digital version of myself can read most of the emails.”
Intel's Pat Gelsinger revealed that, to his mind, the problem with AI currently is that it's very proficient at "thinking fast", i.e. intuitively, but doesn't yet have the ability to "think slow"—by which he means, think rationally and reasonably about a problem, and this is currently a huge area of research. “Today our systems hallucinate, tomorrow if we're going to use them broadly, they have to be right."
If my AI avatar has a meeting with your AI avatar as things currently stand, and one of them misinterprets a question or a response, we're both going to be sitting on the beach drinking our respective pina coladas with potentially useless information. In which case, my friends, we won't be sitting on the beach enjoying the sun, but walking up and down it with a sign saying "insert your profession here for hire".

 

Want to clone yourself? Make a personal AI avatar - here's how
Synthesia lets you make a digital twin of yourself that can speak languages you can't - in under five minutes.

 

The brightest flashlights you can buy
Ranging from 1,700 to 200,000 lumens