Pete Recommends – Weekly highlights on cyber security issues, May 27, 2023

Subject: How To Switch to Using Passkeys With Your Google Accounts
Source: Gizmodo

The future is passkeys, not passwords: Google accounts are the latest to make the switch, following similar moves by Apple and Microsoft over the last couple of years (with other smaller names also making the switch). It means more convenience and more security for your account, and no need to have to remember dozens of lengthy passwords.Essentially, a passkey means that the device you’re using (typically your phone or laptop) proves your identity with whatever screen lock is in place—PIN, facial recognition, fingerprint sensor—proving that you are who you say you are. In simple terms, the tech you use to unlock your phone becomes the tech you use to get into your digital accounts, too. They replace two-step verification as well as the password, and they work with hardware keys.

Subject: Amazon’s PillPack suffers data breach
Source: Becker’s Healthcare

Amazon’s PillPack is notifying consumers that an unauthorized person took customer emails and passwords to log into 19,032 PillPack accounts. On April 3, PillPack noticed suspicious login attempts on its customer accounts and launched an investigation into the incident. The investigation determined that between April 2 and April 6, an unauthorized party used customer login credentials to log into 19,032 accounts, with 3,614 of those accounts containing prescription information.



Subject: Are Your APIs Leaking Sensitive Data?
Source: The Hacker News

Believe it or not, application programming interfaces (APIs) are a leading culprit of exposure and compromise.
That’s right, hackers are increasingly exploiting APIs to gain access to and exfiltrate sensitive data. In 2022 alone, 76% of cybersecurity professionals admitted to experiencing an API security related incident. If that wasn’t attention-grabbing enough, US businesses incurred upwards of $23 billion in losses from API-related breaches during the same time period. And unfortunately, many organizations are just starting to take notice.

With that said, in this article, we’ll explore the potential consequences of data leaks, the role and impact APIs have, as well as how organizations can protect themselves from these risks.

Surprisingly to many technology professionals, API traffic now represents over 80% of the current internet traffic, with API calls growing twice as fast as HTML traffic. When you unpack this statistic, it becomes rapidly clear that APIs interact with all types of data – including sensitive data like credit card information, health records, social security numbers, etc. However, not as much attention is paid to securing APIs like that of network, perimeter, and application security. To be honest, many organizations struggle with even knowing how many APIs they actually have.

When it comes to having the right tools, you need to invest in API security controls across the software development lifecycle to ensure your APIs are protected from code to production. It’s really the only tangible strategy if you are serious about protecting your sensitive data and staying compliant with data privacy regulations. The four pillars that comprise a purpose-built API security platform are API discovery, posture management, runtime protection, and API security testing. Let’s take a quick look at each and how they help you protect your sensitive data:

Subject: Pentagon explosion hoax goes viral after verified Twitter accounts push
Source: Bleeping Computer

Highly realistic AI-generated images depicting an explosion near the Pentagon that went viral on Twitter caused the stock market to dip briefly earlier today.Tweets of this image supposedly depicting an explosion near the Pentagon building in Arlington, Virginia, were amplified by many verified Twitter accounts, including Russian state media and a verified account impersonating the Bloomberg news agency.

Even though the viral picture seemed real at first glance, it’s filled with hints that it was generated using artificial intelligence, proving that the entire thing is a hoax.

Twitter paused Twitter Blue paid verification in response to the incident and many other similar pranks and hoaxes, as a Twitter sales employee told NBC at the time.


Subject: Interview With a Crypto Scam Investment Spammer
Source: Krebs on Security

Social networks are constantly battling inauthentic bot accounts that send direct messages to users promoting scam cryptocurrency investment platforms. What follows is an interview with a Russian hacker responsible for a series of aggressive crypto spam campaigns that recently prompted several large Mastodon communities to temporarily halt new registrations. According to the hacker, their spam software has been in private use until the last few weeks, when it was released as open source code.Renaud Chaput is a freelance programmer working on modernizing and scaling the Mastodon project infrastructure — including,, and Chaput said that on May 4, 2023, someone unleashed a spam torrent targeting users on these Mastodon communities via “private mentions,” a kind of direct messaging on the platform.

Subject: CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force (JRTF)
Source: CISA / JRTF

Today, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. The update incorporates lessons learned from the past two years and includes additional recommended actions, resources, and tools to maximize its relevancy and effectiveness and to further help reduce the prevalence and impacts of ransomware.

Subject: 8.9 Million Android Devices Pre-Infected With Guerilla Malware
Source: Cord Cutters News

A cybercrime organization known as the Lemon Group has pre-infected over 8.9 million Android devices, including smartphones, watches, televisions, and more. Trend Micro states the Guerilla malware has been preinstalled on said devices worldwide and has the potential to expand to IoT devices as well.“We believe that the threat actor’s operations can also be a case of stealing information from the infected device to be used for big data collection before selling it to other threat actors as another post-infection monetization scheme,” says Trend Micro.Trend Micro revealed the data breach at the Black Hat Asia 2023 conference hosted in Singapore earlier this May.“The infection turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts and monetization via advertisements and click fraud,” said Trend Micro researchers at the conference.

Malware can be installed via third parties hired by device manufacturers and Trend Micro is concerned it could even affect cars. Researchers have traced some of the infections to a company producing firmware components for cellular devices as well as Android Auto.

Subject: Chinese hackers seek capabilities to disrupt communications between US and Asia in event of crisis, Microsoft says
Source: CNN Politics

Chinese government-backed hackers are likely pursuing cyber capabilities that could be used to “disrupt critical communications” between the US and the Asia Pacific region in the event of a future US-China crisis, Microsoft warned on Wednesday.The Chinese hackers have been active since mid-2021 and targeted critical infrastructure organizations in the US territory of Guam and in other parts of the US as part of a stealthy spying and information gathering campaign, Microsoft said in a new report. Organizations targeted by the hackers cover the maritime, transportation and government sectors, among others.

The Microsoft report underscores the key role that cyber operations might play in present and future US-China power competition and territorial disputes in the Pacific. China has claimed a growing list of territories in the Pacific in recent years in what US officials view as alarming expansionism from Beijing.

“Chinese cyberthreat actors are unique among their peers in that they have not regularly resorted to destructive and disruptive cyberattacks,” Hultquist said. The Microsoft report “is a rare opportunity to investigate and prepare for this threat.”

Subject: On the Poisoning of LLMs
Source: Schneier on Security

Interesting essay on the poisoning of LLMs—ChatGPT in particular: Given that we’ve known about model poisoning for years, and given the strong incentives the black-hat SEO crowd has to manipulate results, it’s entirely possible that bad actors have been poisoning ChatGPT for months. We don’t know because OpenAI doesn’t talk about their processes, how they validate the prompts they use for training, how they vet their training data set, or how they fine-tune ChatGPT. Their secrecy means we don’t know if ChatGPT has been safely managed.

They’ll also have to update their training data set at some point. They can’t leave their models stuck in 2021 forever.


+ comments

Subject: IRS management must address two key data security system deficiencies: GAO
Source: FedScoop

The Internal Revenue Service has two key data security deficiencies related to information access controls and configuration management that warrant attention from agency management, according to a fiscal year 2022 audit by the congressional watchdog.The two issues contributed to “significant deficiency in IRS’s internal control over financial reporting systems,” according to the director of IT and cybersecurity as well as financial management, respectively, at the Government Accountability Office (GAO).

“The deficiencies related to information systems and safeguarding assets increase the risk of unauthorized access to, modification of, or disclosure of financial and sensitive taxpayer data and disruption of critical operations,” the GAO fiscal audit highlighted. “The deficiencies related to transaction cycles increase the risk of financial statement misstatements.”

According to the GAO audit, which was published on May 26, the deficiencies are “not considered material weaknesses or significant deficiencies. Nevertheless, the watchdog has made three new recommendations to the IRS to address the control deficiencies related to tax refunds. Separately, also made 16 recommendations to address control deficiencies related to information systems.

Posted in: AI, Cryptocurrency, Cybercrime, Cybersecurity, Financial System, Healthcare, Privacy, Social Media, Viruses & Hoaxes