Pete Recommends – Weekly highlights on cyber security issues, June 15, 2024

Subject: Windows Recall is changing in 3 key aspects after user backslash
Source: AndroidHeadlines

Microsoft is changing some key aspects of Windows Recall in response to all the controversy generated since its launch. The new feature never quite convinced the general public regarding data security and privacy. Now, the company wants to make sure that everyone is very clear about how it works. They are even making it easier to disable the feature.The way Windows Recall works is based on constantly taking and saving snapshots of everything you do on your PC. This allows you to ask questions about your activity. For example, if you want to remember what you were doing on a specific day. Recall is an  -powered feature that requires powerful NPUs to run smoothly. So, the best way to use it is on Copilot+ PCs. However, Recall can (barely) run on unsupported hardware as well.

It seems that it was never clear to the public how Recall would handle snapshots. Multiple questions arose about the security of your data in certain situations. For example, one of the concerns is that another person with physical access to your PC could potentially get your detailed activity history, even with images. In response to concerns, Microsoft is changing some of the most criticized aspects of Recall.

Microsoft is changing these key Windows Recall aspects – The changes focus on three main points. First, the company will modify the set-up process for Copilot+ PCs. Now users will be able to clearly decide whether they want to enable Recall or not. Even if you don’t choose any option, Recall will be disabled by default. This way, there will be no risk of enabling the feature without realizing it. Next, the Windows Hello security system will now be a mandatory requirement to start Recall. This means that the feature will require biometric verification when you want to use it. But not only that, as the OS will also run a “proof of presence” test before you can check your timeline or do searches. Lastly, the company is encrypting Recall snapshots and the search index database. The latter was one of the most sensitive potential security holes. After all, it was just decrypted plain text.

Subject: LastPass says 12-hour outage caused by bad Chrome extension update
Source: bleepingcomputer

LastPass says its almost 12-hour outage yesterday was caused by a bad update to its Google Chrome extension.Starting at around 1 PM ET yesterday, LastPass users were suddenly unable to access their password vaults or log into their accounts, instead seeing “404 Not Found” errors, which typically indicate a page does not exist.

The impact did not go unnoticed, with LastPass customers venting their frustration on Reddit and Twitter about the outage and their inability to retrieve their saved credentials and log in to sites.

“Even their offline login doesn’t work. I’m shifting my family over to 1Password,” a person on Reddit wrote.

“I can’t believe they don’t have contingencies in their infrastructure. I am essentially locked out of all the websites I use until they fix this,” said another user.

At approximately 8 PM ET, LastPass said they resolved the issue, stating that a bad update to the Chrome extension put too much stress on their servers.

“Our engineers have identified that an update to our chrome browser extension earlier today inadvertently caused load issues on our backend infrastructure,” reads the LastPass status page.

UpdateLastPass performance continues to be stable and fully operational. We will continue to actively monitor the service throughout the weekend before setting this incident to ‘resolved’ status
Jun 07, 202419:16 UTC

Related Articles: LastPass is now encrypting URLs in password vaults for better security


Subject: Harvard, MIT, and Wharton research reveals pitfalls of relying on junior staff for AI training
Source: VentureBeat

As companies race to adopt artificial intelligence systems, conventional wisdom suggests that younger, more tech-savvy employees will take the lead in teaching their managers how to effectively use the powerful new tools.But a new study casts doubt on that assumption when it comes to the rapidly-evolving technology of generative AI.

The research, conducted by academics from Harvard Business School, MIT, Wharton, and other institutions in collaboration with Boston Consulting Group, found that junior employees who experimented with a generative AI system made recommendations for mitigating risks that ran counter to expert advice. The findings suggest that companies cannot rely solely on reverse mentoring to ensure the responsible use of AI.

Junior consultants struggle with AI risk mitigation in GPT-4 experiment

Navigating the challenges of generative AI adoption in business – “To explain how and when junior professionals may fail to be a source of expertise in the use of an emerging technology for more senior members, we must take into account not only status threat, but also risks to valued outcomes,” the researchers wrote, noting AI’s exponential rate of change, superhuman capabilities, and reliance on vast amounts of data.


RSS Feed:

Subject: The NSA’s guide to keeping your phone and yourself safe
Source: AndroidHeadlines

The NSA’s guide to keeping your phone and yourself safe

Smartphones can be hotbeds for spying. The NSA is here to tell you how to babysit your phone like it’s a toddler running loose with classified documents. Don’t talk about sensitive things near your phone, it might eavesdrop! Forget about using public Wi-Fi—that’s like letting your phone wander off with a stranger at the playground. Keep it on a leash (or a strong password), don’t let it talk to strangers (unknown networks), and be super suspicious of everything it downloads. Basically, treat your phone like it’s a secret agent in training.

2-page PDF — infographic

Subject: NDAA proposal reigniting debate over separate cyber force
Source: Federal News Network

Pentagon officials are rejecting the idea of establishing a separate cyber force as lawmakers request an independent study.The House Armed Services Committee’s bipartisan proposal to require the Defense Department to study the establishment of a cyber force is resurfacing a long-running debate over the U.S. Cyber Command’s organizational challenges.

The amendment, introduced by Reps. Morgan Luttrell (R-Texas) and Chrissy Houlahan (D-Pa.), seeks an independent study of establishing a separate armed force dedicated to cyber, including an evaluation of how it would compare in performance and efficacy to the current organizational approach for CYBERCOM.

If passed, the measure would require the Defense Department to enter into an agreement with the National Academy of Sciences to conduct the evaluation.

CYBERCOM, launched over a decade ago, has struggled to grow its cyber workforce necessary to counter ever-growing cyber threats. The command has historically relied on the military services to provide digital personnel, which has led to readiness issues since the services run their own recruitment and training systems for their cyber operations and digital warriors tend to have inconsistent knowledge and experience when they are sent to CYBERCOM.


RSS Feed:

Subject: The number of known Snowflake customer data breaches is rising
Source: Help Net Security

LendingTree subsidiary QuoteWizard and automotive parts provider Advance Auto Parts have been revealed as victims of attackers who are trying to sell data stolen from Snowflake-hosted cloud databases.Snowflake says that their investigation is still ongoing, but continues to stand by the preliminary results: the attackers accessed customer accounts secured with single-factor authentication by leveraging credentials “previously purchased or obtained through infostealing malware.”

Mandiant has published a rundown of its involvement in the investigation, and has confirmed that there is no evidence pointing to a breach of Snowflake’s enterprise environment.

“The affected customer instances did not require multi-factor authentication and in many cases, the credentials had not been rotated for as long as four years. Network allow lists were also not used to limit access to trusted locations.”


Subject: Can someone tell if I block their number?
Source: ZDNET

If you have to block someone else’s number, you may have wondered what happens next. We’ll walk you through the ways that someone may be able to tell if their number has been blocked.

Can someone tell if I block their number?

First things first, if you block someone’s number, they won’t find out right away, if at all. They won’t get a notification saying they were blocked and won’t be able to see it plainly anywhere, but they can infer it and assume they’ve been blocked. There are ways a person can figure out if they’ve been blocked, like sending you texts and calling you.

2. If the blocked number calls yours


Can someone tell if I blocked their number on Android?

+ comments


Subject: 23andMe data breach under investigation in UK and Canada
Source: BleepingComputer

Privacy authorities in Canada and the United Kingdom have launched a joint investigation to assess the scope of sensitive customer information exposed in last year’s 23andMe data breach.The Privacy Commissioner of Canada and The Information Commissioner’s Office (ICO) will also look into whether the company had adequate safeguards to secure customer data stored on its systems.

The joint investigation will also examine if 23andMe alerted affected individuals and the privacy regulators as required by Canadian and UK privacy and data protection laws.

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination. Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world,” said Privacy Commissioner of Canada Philippe Dufresne.

“People need to trust that any organization handling their most sensitive personal information has the appropriate security and safeguards in place,” UK Information Commissioner John Edwards added.

“This data breach had an international impact, and we look forward to collaborating with our Canadian counterparts to ensure the personal information of people in the UK is protected.”

23andMe accounts breached in credential-stuffing attack


Subject: Want free and anonymous access to AI chatbots? DuckDuckGo’s new tool is for you
Source: ZDNET

The privacy-minded DuckDuck Go promises that your chats are private, anonymized, and not used for AI model training.

Those of you who’d like anonymous access to several generative AI chatbots all in one place may want to check out DuckDuckGo’s new AI chat tool. Announced last Thursday, the service lets you try four different AI models through a dedicated AI website or the DuckDuckGo browser.

Included in the mix are GPT-3.5 Turbo, Claude 3 Haiku, Meta Llama 3, and Mistral’s Mixtral 8x7B. All four are freely accessible through DuckDuckGo, though you may bump into an unspecified daily limit on the number of queries you can submit.

Being able to access several AI chatbots in the same place is certainly convenient. But the real benefit here is the anonymity. When you use such services at ChatGPT and Meta AI, your chats aren’t necessarily private. Moderators may read your conversations to make sure you’re not abusing the system. Plus, your chats can be used to help train the AI.

To protect your privacy, the chats you conduct through DuckDuckGo’s AI chat tool are anonymous and aren’t saved or stored by the company or the AI services, at least not permanently.

To anonymize your conversations, DuckDuckGo says that it removes your IP address and replaces it with one of its own. This makes it seem as if the requests are coming from the company and not from you.


Subject: 180-degree security camera: Explore top picks
Source: Android Headlines

180-degree security cameras cover a massive area, which is the reason they are preferred for video surveillance. In this article, we will discuss what a 180-degree camera is and how does it works. We will explain their types and some important factors you need to consider while buying them. We have also hand-picked some of the best cameras to save you time.

What is a 180-degree IP camera? A 180-degree IP camera offers 180-degree field of view. It covers a wider area, which is why you need fewer cameras for surveillance.

Some of these cameras can pan and tilt over a range, while some cameras have dual lenses, and the final image of both lenses is combined through a stitching algorithm. That’s how you get a 180-degree field of view.

Other than that, all features are almost similar to common IP cameras.

We can categorize 180-degree security camera on the basis of their usage, wiring, and lens type. Let’s see how they differ.

Subject: New York State Launches Mobile ID App
Source: Phone Scoop

New York is now the ninth US state to offer an official, standards-compliant mobile ID (MiD). The new New York Mobile ID app is available for both Android and iOS. The dedicated app is required for both setup and use; New York’s solution is not yet compatible with Apple Wallet nor Google Wallet. During setup, the user scans both their physical ID card and face. The app can then display a personalized QR code any time identity and/or age need to be verified. The code is scanned by the person requesting verification using any standard-compliant verification app. They then choose what information to request, the ID holder gives permission on their device, then the requested information (and that info only) is transmitted wirelessly and automatically verified with the NY DMV. The ID holder does not need to hand over their phone at any time. The verifying device must have an internet connection, but the device of the ID holder can be offline. The TSA currently accepts mobile ID at 28 airports, including all terminals of JFK and LaGuardia in New York City. Businesses that need to check ID can start accepting mobile ID at any time, but verification apps are not yet in widespread use. New York’s app is similar to that of California, Iowa, Louisiana, and Utah. States with mobile IDs that can also be added to mobile wallets are: Arizona, Colorado, Georgia, and Maryland.

Subject: AI in law enforcement is risky, but holds promise
Source: Route Fifty

AI in law enforcement is risky, but holds promiseLeaders should not be reluctant to use AI in controversial applications, even if they risk blowback, one city’s CIO advises.For some, the use of artificial intelligence in law enforcement might conjure images of the movie “Minority Report,” where the Precrime Division arrests suspects before they can commit any actual crimes.Others may envision a dystopian surveillance state where residents can be identified by facial recognition technology and tracked through their phone, networked cameras and automated license plate readers.Local leaders acknowledge imperfect algorithms that try to predict where crimes might occur can make mistakes and perpetuate ongoing biases and stereotypes about certain communities. Some have considered banning facial recognition in public spaces because of its potential for abuse.

But for many, AI’s possible benefits make it worth trying.

Navigating the desire to innovate with the responsibility to protect people, especially those groups who have faced discrimination in the past, remains a delicate balance, however.

Outside groups are already skeptical of police use of AI. In a policy brief, the NAACP warned that the use of predictive policing and AI within law enforcement agencies can “increase racial biases,” even as they aim to improve “efficiency and objectivity.”


Subject: The next administration must be ready for new quantum encryption standards, MITRE advises
Source: Nextgov/FCW

The next presidential administration — whether it be a second term for current President Joe Biden or former President Donald Trump — will have to focus on ensuring the U.S. is ready for quantum computing to outperform the encryption methods currently used to secure data, a top federally-backed research group argues.MITRE said in an advisory document released last week that the next presidential administration will need to prioritize such quantum computing advances, as well as critical infrastructure protections, clarification of cyber leadership roles and implementation of a zero trust framework for the federal government.

The readout is part of a series of releases from the federally affiliated national security research giant ahead of the upcoming election and possible transition of power in the White House. The release is the first of its kind in the 2024 election season that focuses on U.S. cybersecurity policy.

“While it is hard to predict precisely when quantum computing will crack the current encryption, the U.S. government must prepare now to protect data — past, present, and future — in the context of post-quantum cryptography,” said the MITRE advisory, referring to a new era of cryptographic algorithms that are designed to be secure against the capabilities of quantum computers. The National Institute of Standards and Technology has been in the process of developing tools to help agencies migrate to PQC standards, as directed by the White House.

Topic: Quantum Computing


Subject: Microsoft Refused to Fix Flaw Years Before SolarWinds Hack
Source: ProPublica

Microsoft hired Andrew Harris for his extraordinary skill in keeping hackers out of the nation’s most sensitive computer networks. In 2016, Harris was hard at work on a mystifying incident in which intruders had somehow penetrated a major U.S. tech company.The breach troubled Harris for two reasons. First, it involved the company’s cloud — a virtual storehouse typically containing an organization’s most sensitive data. Second, the attackers had pulled it off in a way that left little trace.

He retreated to his home office to “war game” possible scenarios, stress-testing the various software products that could have been compromised.

Early on, he focused on a Microsoft application that ensured users had permission to log on to cloud-based programs, the cyber equivalent of an officer checking passports at a border. It was there, after months of research, that he found something seriously wrong.

The product, which was used by millions of people to log on to their work computers, contained a flaw that could allow attackers to masquerade as legitimate employees and rummage through victims’ “crown jewels” — national security secrets, corporate intellectual property, embarrassing personal emails — all without tripping alarms.


Subject: How Local Government Fraud Has — and Hasn’t — Changed Since the Pandemic
Source: ProPublica

When the COVID-19 pandemic upended the workplace, jobs went remote, offices had to adopt new technologies and longtime employees suddenly departed. Federal stimulus dollars flooded into state and local government accounts, and fraudsters had a heyday. The pandemic was only one of several recent disruptions to roil the financial operations of state and local governments, which oversee $4 trillion a year in spending. Payments — and paper trails — have gone digital. Scammers can now use AI tools to streamline their hunt for victims, including within government agencies. And local newspapers in the United States, one historic line of defense against graft, are disappearing at a rate of 2.5 a week.

Few states have a better view into the latest ways people are stealing and otherwise misspending local government dollars than Washington.

Obviously, technology has made a lot of advances since the pandemic, AI being a big part of that. There’s FraudGPT, which is like ChatGPT — but it’s for fraudsters. [The bot’s developer claims it can create malicious computer code, write scam letters and hack websites.] It’s paving the path for them to easily get fake checks, fake statement templates, emails to do phishing schemes and so on. We wouldn’t know whether folks are using FraudGPT or not in the schemes we see, but I could guess based on the emails our governments are falling for.

After two decades in this job, has your view of humanity darkened?

Not really. I think working here has made me think better overall of humanity. I’m seeing so many people choose a career in public service. Whether that’s elected officials, department heads or down to the finance staff, there’s just so many people that work so incredibly hard and probably get a lot of grief, unfortunately. We have our fraudsters, but it’s such a small percentage.

Subject: Pope Francis raises alarm about AI at G7 summit
Source: AP News

BARI, Italy (AP) — Pope Francis challenged leaders of the world’s wealthy democracies Friday to keep human dignity foremost in developing and using artificial intelligence, warning that such powerful technology risks turning human relations themselves into mere algorithms. Francis brought his moral authority to bear on the Group of Seven, invited by host Italy to address a special session at their annual summit on the perils and promises of AI. In doing so, he became the first pope to attend the G7, offering an ethical take on an issue that is increasingly on the agenda of international summits, government policy and corporate boards alike. Francis said politicians must take the lead in making sure AI remains human-centric, so that decisions about when to use weapons or even less-lethal tools always remain made by humans and not machines. … “No machine should ever choose to take the life of a human being,” he said. … “To speak of technology is to speak of what it means to be human and thus of our singular status as beings who possess both freedom and responsibility,” he said. “This means speaking about ethics.” …

Subject: How AI and the cloud are accelerating scientific discoveries. Will government be ready?
Source: FedScoop [sponsored … ]

New AI-enabled platforms promise to revolutionize scientific and governmental research — and unleash new considerations for federal agencies, says a new report.

The convergence of artificial intelligence (AI) and high-performance cloud computing is dramatically reshaping the landscape of scientific research and discovery. Scientific breakthroughs that once took years to achieve are emerging in weeks, presenting new and powerful solutions to address complex global challenges.

However, the accelerating rate of innovation also raises critical strategic questions for government and public policy institutions and whether they are prepared for the surge, suggests a new report.

AI’s emerging impact in the laboratory has made one thing clear: The scientific and research community is at the cusp of a new era when AI-propelled science will move at unprecedented speed and likely reshape priorities for government agencies responsible for agriculture, environmental protection, health, national security and other domains.


Posted in: AI, Cybercrime, Cybersecurity, Education, Legal Research, Privacy, Technology Trends