Pete Recommends – Weekly highlights on cyber security issues, January 14, 2023

Subject: Hello World by Julia Angwin
Source: The Markup

Dispatches from our founder Julia Angwin. A weekly newsletter—delivered every Saturday morning—that goes deep into our original reporting and the questions we put to big thinkers in the field. Browse the archive

Subject: Armed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl Bots
Source: Forbes

Users of underground forums start sharing malware coded by OpenAI’s viral sensation and dating scammers are planning on creating convincing fake girls with the tool. Cyber prognosticators predict more malicious use of ChatGPT is to come. Cybercriminals have started using OpenAI’s artificially intelligent chatbot ChatGPT to quickly build hacking tools, cybersecurity researchers warned on Friday. Scammers are also testing ChatGPT’s ability to build other chatbots designed to impersonate young females to ensnare targets, one expert monitoring criminal forums told Forbes.
Many early ChatGPT users had raised the alarm that the app, which went viral in the days after its launch in December, could code malicious software capable of spying on users’ keyboard strokes or create ransomware.Underground criminal forums have finally caught on, according to a report from Israeli security company Check Point. In one forum post reviewed by Check Point, a hacker who’d previously shared Android malware showcased code written by ChatGPT that stole files of interest, compressed them and sent them across the web. They showed off another tool that installed a backdoor on a computer and could upload further malware to an infected PC….As for protections against criminal use of ChatGPT, Shykevich said it would ultimately, and “unfortunately,” have to be enforced with regulation. OpenAI has implemented some controls, preventing obvious requests for ChatGPT to build spyware with policy violation warnings, though hackers and journalists have found ways to bypass those protections. Shykevich said companies like OpenAI may have to be legally compelled to train their AI to detect such abuse.

Subject: One year later: Apple’s rules on data privacy force a rethink on customer engagement
Source: VentureBeat

Last year’s update to Apple’s privacy policy is one of those events where the worried predictions ended up being exactly what transpired: The significant reduction in marketers’ ability to personalize and target ads based on consumers’ digital behavior and the downstream impact on the social media giants’ ad revenue.Even worse, the dollars still being spent by Chief Marketing Officers (CMOs) have become less effective. Sure enough, by some measures, ROI plunged nearly 40%. This new environment has marketers scrambling. But it hasn’t changed their behavior dramatically yet.

Marketers are still acting as if we live in an advertising world enriched by an almost unlimited amount of available data.


Subject: Identity Thieves Bypassed Experian Security to View Credit Reports
Source: Krebs on Security

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number….

Subject: Cybersecurity experts gaze into the 2023 crystal ball and see good, bad, ugly
Source: Infosec Exchange via Brian Krebbs” Mastodon

I usually avoid security predictions stories, but make an exception for Taylor Armerding’s useful Medium piece surveying different security

I found this bit from the ID Theft Resource Center to be spot-on: “The number of data breach notices that reveal less information about a compromise will continue to grow, putting more people and businesses at risk. “Two years ago, only a handful of notices didn’t have good information, but the percentage has accelerated through 2022. We think, anecdotally, that it’s due to a series of federal court rulings that you must have suffered actual harm from a breach before you can sue a company.”

Subject: Millions of Vehicles at Risk: API Vulnerabilities Uncovered in 16 Major Car Brands
Source: The Hacker News

Multiple bugs affecting millions of vehicles from 16 different manufacturers could be abused to unlock, start, and track cars, plus impact the privacy of car owners.The security vulnerabilities were found in the automotive APIs powering Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, Toyota as well as in software from Reviver, SiriusXM, and Spireon.

The flaws run a wide gamut, ranging from those that give access to internal company systems and user information to weaknesses that would allow an attacker to remotely send commands to achieve code execution.

“If an attacker were able to find vulnerabilities in the API endpoints that vehicle telematics systems used, they could honk the horn, flash the lights, remotely track, lock/unlock, and start/stop vehicles, completely remotely,” the researchers noted.

Subject: ASK US ANYTHING about our reporting on telehealth startups
Source: The Markup via

We analyzed web traffic across 50 #telehealth sites with @STAT and saw that almost all were sending users’ personal information to some of the world’s largest advertising platforms.Questions about what we found or how we found it? Let us know in the replies and our team will be responding this week.#MedMastodon #MentalHealth #Privacy

Subject: US Supremes deny Pegasus spyware maker’s immunity claim
Source: The Register

The US Supreme Court has quashed spyware maker NSO Group’s argument that it cannot be held legally responsible for using WhatsApp technology to deploy its Pegasus snoop-ware on users’ phones.Facebook and its WhatsApp subsidiary sued the notorious Isreal-based software company in 2019, alleging that NSO exploited a zero-day bug in WhatsApp to remotely drop Pegasus on about 1,400 smartphones belonging to attorneys, journalists, human rights activists, political dissidents, diplomats and other senior foreign government officials in multiple countries.

Pegasus, of course, is the now-infamous malware that NSO claims is only sold to legitimate government agencies — not private companies or individuals — and can only be used “for the purpose of preventing and investigating terrorism and other serious crimes,” despite numerous reports from Citizen Lab, Google, and the media of the malicious code being used to spy on journalists, activists, and politicians by their opponents.

Once installed on a victim’s device, Pegasus can, among other things, secretly snoop on that person’s calls, messages, and other activities, and access their phone’s camera without permission.

In response to Facebook’s lawsuit, NSO asked the courts to dismiss the lawsuit on the grounds that the immunity of foreign states from prosecution also applies to non-governmental vendors. After the lower courts rejected its argument, NSO appealed to the US Supreme Court, which today denied [PDF] its case, thus kicking it back to the Court of Appeals.

Subject: Security Researchers Hack Reviver Digital License Plate
Source: Gizmodo

Only a few months after they officially became available, a security researcher and his friends have managed to pwn California’s new digital license plates.Yes, for the past several years, Cali has been on a weird mission to digitize its car tags. Advocates claims that this modernization effort will offer a host of benefits to drivers, including “visual personalization” and easy in-app registration renewal, but security experts have long warned that if you hook your plates up to the web, somebody will inevitably try to mess with them.

Subject: National Archives broadens records retention guidance to include text messages
Source: FedScoop

The National Archives and Records Administration has widened its digital records retention guidance for federal government agencies to include other forms of electronic messaging such as text messages.In a bulletin issued Jan. 5, the federal agency set out new rules requiring the preservation of all communication about government business on electronic messaging systems.

Electronic messaging systems are defined as systems that “allow users to send communications in real-time or for later viewing,” and explicitly include texts, chats and instant messages.

“This bulletin recognizes that the use of additional types of electronic messaging often now replaces conversations previously occurring over email,” NARA said in the fresh guidance.

-In this Story-
National Archives and Records Administration (NARA), Records Managem/ent, text messages

Subject: Adobe Uses Your Content to Train AI
Source: Sensei Enterprises, Inc.

Artificial intelligence is all the rage these days. We see various forms of AI used in our lives every day. Real world data is used to train the AI algorithms to improve accuracy. Where does the training data come from? The short answer is you. Adobe found itself in the headlines when it was revealed that Adobe uses user content stored in Creative Cloud services to train AI algorithms by default. The Register reported that users will need to opt out of the service if they don’t want their data to be AI training fodder. Adobe confirmed, “When we analyze your content for product improvement and development purposes, we first aggregate your content with other content and then use the aggregated content to train our algorithms and thus improve our products and services.” Apparently, the policy has been in place for some time, but the action isn’t sitting well with some users, especially artists. To opt out, login to your Adobe account and get to the setting for Privacy and personal data. Turn off the Allow my content to be analyzed by Adobe for product improvement and development purposes setting.

Subject: Another password manager is moving beyond passwords
Source: gHacks Tech News

New upgrades from NordPass will enable passwordless authentication to work through the service. The FIDO Alliance’s main innovation in this regard has been passkeys, and this is what the NordPass update is enabling.Passkeys are encrypted keys that are stored on other devices that allow you to access your accounts without having to come up with, store, or remember a password. They normally work by using the biometric security devices such as facial recognition or fingerprint sensors that many smartphones have these days. Following this update, NordPass users will, therefore, be able to store their passkeys in their vault and then access them using their biometric information. Passkeys have already seen quite a bit of adoption with big-name companies implementing them across their sites, products, and services….Filed:

Subject: A college student made an app to detect AI-written text
Source: NPR

Teachers worried about students turning in essays written by a popular artificial intelligence chatbot now have a new tool of their own. Edward Tian, a 22-year-old senior at Princeton University, has built an app to detect whether text is written by ChatGPT, the viral chatbot that’s sparked fears over its potential for unethical uses in academia….

His motivation to create the bot was to fight what he sees as an increase in AI plagiarism. Since the release of ChatGPT in late November, there have been reports of students using the breakthrough language model to pass off AI-written assignments as their own.

How GPTZero works – To determine whether an excerpt is written by a bot, GPTZero uses two indicators: “perplexity” and “burstiness.” Perplexity measures the complexity of text; if GPTZero is perplexed by the text, then it has a high complexity and it’s more likely to be human-written. However, if the text is more familiar to the bot — because it’s been trained on such data — then it will have low complexity and therefore is more likely to be AI-generated.



Subject: Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware
Source: The Hacker News

Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed EyeSpy as part of a malware campaign that started in May 2022.It uses “components of SecondEye – a legitimate monitoring application – to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers,” Bitdefender said in an analysis.

A majority of the infections are said to originate in Iran, with smaller detections in Germany and the U.S., the Romanian cybersecurity firm added.

SecondEye, according to snapshots captured via the Internet Archive, claims to be a commercial monitoring software that can work as a “parental control system or as an online watchdog.” As of November 2021, it’s offered for sale anywhere between $99 to $200.

Posted in: AI, Cybersecurity, Privacy