Cybersecurity News of the Week, April 2, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

Special Report: Large Language Models and Artificial Intelligence. John F. Kennedy said that crisis represented both danger and opportunity. And so it is with the rush to embed large language models into everything. Crisis = Danger + Opportunity. Opportunity abounds. I’ve been using ChatGPT and look forward to the day when I can use a tool like it to help me do a better job of finding the best stories for the Cybersecurity News of the Week. And I know how much better we the people will be as we bring AI to bear on challenges from health care to economics to my own field of cybersecurity.

But I also know the danger that comes with the “AI crisis.” We’re already seeing ChatGPT being used to write malware and craft impossible to detect phishing attack. It’s being used in misinformation / disinformation campaigns. It is already beginning to disrupt industries and is destined to be more disruptive as it advances.

AI’s risk to society — to democracy — is profound That’s why it’s so important we the people get our arms around it before it gets its artificial arms around us.

In the spirit of the 2000+ year old Hippocratic oath, we must train these models to “First, do no harm.”

  • The dark side of Large Language Models: As the capabilities of LLMs such as ChatGPT are actively being improved, the potential exploitation of these types of AI systems by criminals provide a grim outlook. The following three crime areas are amongst the many areas of concern identified by Europol’s experts: Fraud and social engineering; Disinformation; Cybercrime. As technology progresses, and new models become available, it will become increasingly important for law enforcement to stay at the forefront of these developments to anticipate and prevent abuse. Europol, March 27, 2023
  • Microsoft Puts ChatGPT to Work on Automating Cybersecurity: Microsoft on Wednesday rolled out an AI-powered security analysis tool to automate incident response and threat hunting tasks, showcasing a security use-case for the popular chatbot developed by OpenAI. Security Week, March 28, 2023
  • This Uncensored Chatbot Shows What Happens When AI Is Programmed To Disregard Human Decency: FreedomGPT spews out responses sure to offend. Its makers say that is the point. …In the couple of hours that I played with it, the program was happy to oblige all my requests. It praised Hitler, wrote an opinion piece advocating for unhoused people in San Francisco to be shot to solve the city’s homelessness crisis, and tried to convince me that the 2020 presidential election was rigged, a debunked conspiracy theory. It also used the n-word. BuzzFeed, March 29, 2023
  • Artificial Intelligence: UNESCO calls on all Governments to implement Global Ethical Framework without delay: Following calls by over 1000 tech workers this week for a pause in the training of the most powerful AI systems, including Chat GPT, UNESCO calls on countries to fully implement its Recommendation on the Ethics of Artificial Intelligence immediately. This global normative framework, adopted unanimously by the 193 Member States of the Organization, provides all the necessary safeguards. UNESCO, March 30, 2023
  • Elon Musk, Apple co-founder, other tech experts call for pause on ‘giant AI experiments’: ‘Dangerous race’:  Musk, Wozniak, other tech innovators sign open letter urging temporary pause in the development of AI systems more powerful than OpenAI’s GPT-4, citing risks to society and civilization. The letter was issued by the Future of Life Institute and signed by more than 1,000 people, including Musk, who argued that safety protocols need to be developed by independent overseers to guide the future of AI systems. Fox News, March 29, 2023
  • Ethicists fire back at ‘AI Pause’ letter they say ‘ignores the actual harms’: A group of well-known AI ethicists have written a counterpoint to this week’s controversial letter asking for a six-month “pause” on AI development, criticizing it for a focus on hypothetical future threats when real harms are attributable to misuse of the tech today. TechCrunch, March 31, 2023
  • A Six-Month AI Pause? No, Longer Is Needed: It’s crucial that we understand the dangers of this technology before it advances any further. The Wall Street Journal, March 30, 2023

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week … The Anti Phishing Working Group (APWG)

Kudos this week to the Anti Phishing Working Group (APWG). APWG unifies the global response to common cybercrimes and related infrastructure abuse through technical diplomacy; curation of a real-time clearinghouse of internet event data; development of applied research; and deployment and maintenance of global cybersecurity awareness campaigns. Like SecureTheVillage, APWG is a fellow-member of Nonprofit Cyber.

Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform

Live on Cyber with Dr. Stan Stahl: (Video) (Podcast):

TikTok was all over the news last week as their CEO testified to a hostile Congress amid increasingly loud calls to ban it. What a great opportunity for Stan and Julie to riff on the complex challenges of the cyber-incunabula.

  • The opportunity TikTok gives the Chinese government to spy on Americans, even people who don’t use it.
  • TikTok’s opportunity to deliver misinformation and disinformation to affect the 2024 election.
  • The impact of TikTok and other social media platforms on the well-being of our youth.
  • The First Amendment.

Stan and Julie discuss the challenges we the people have as we navigate the cyber-incunabula. And as we discussed in podcast #3, “For every complex problem there is an answer that is clear, simple, and wrong.” As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Following up our Top of the News, here’s a story of how DeepFakes are being used in scams.

Section 3 – Cybersecurity News for the Cyber-Concerned.

The United States and 9 other nations are working to counter the threat posed by commercial spyware — such as NSO Group’s Pegasus — against journalists, human rights defenders, dissidents, and others.

  • President Biden Signs Executive Order to Prohibit U.S. Government Use of Commercial Spyware that Poses Risks to National Security: Today, President Biden signed an Executive Order that prohibits, for the first time, operational use by the United States Government of commercial spyware that poses risks to national security or has been misused by foreign actors to enable human rights abuses around the world. The white House, March 27, 2023
  • US, UK, eight others unite on cyber protections for dissidents, journalists, advocacy groups: Cyberthreats against “civil society organizations, human rights defenders, dissidents, advocacy groups, journalists, and cultural institutions” have pushed 10 nations to create a forum for sharing ways to protect those groups and others. … “Authoritarian governments are increasingly using cyber means to target these groups, both within their countries and across international borders, including in acts of transnational repression to censor political opposition and track dissidents,” the nations said in a joint statement released by the Cybersecurity and Infrastructure Security Agency in the U.S. … The members of the new Strategic Dialogue on Cybersecurity of Civil Society Under Threat of Transnational Repression are Australia, Canada, Denmark, Estonia, France, Japan, New Zealand, Norway, the U.K. and the U.S. The Record, March 30, 2023

Also on the National Security news, a big cache of Russian cyberwarfare documents have been leaked by a whistle-blower angry over the Ukraine war.

  • ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics: Documents leaked by whistleblower angry over Ukraine war. Private Moscow consultancy bolstering Russian cyberwarfare. Tools support hacking operations and attacks on infrastructure. Documents linked to notorious Russian hacking group Sandworm. Russian program aims to control internet and spread disinformation. … For several months, journalists working for 11 media outlets, including the Guardian, Washington Post and Le Monde, have investigated the files in a consortium led by Paper Trail Media and Der Spiegel. Five western intelligence agencies confirmed the Vulkan files appear to be authentic. The Guardian, March 30, 2023

As we stumble our way into online voting, it’s absolutely positively vital that online voting platforms be secure, private, and transparent. The people who claim to give a “clean bill of health” to these systems must be independent of the companies developing them. This makes the following story extremely important as an illustration of how careful we must be to keep the fox out of the hen house.

This week in cybercrime, including ongoing fall-out from supply chain attacks compromising GoAnywhere, a popular file-transfer software, and 3CX, a video conferencing and online communication product.

  • Hackers post data stolen from the Housing Authority of the City of Los Angeles: After extending a deadline for weeks in an attempt to extract a ransom, hackers have posted a trove of data seized late last year from the Housing Authority of the City of Los Angeles. Los Angeles, Times, March 31, 2023
  • Subprime Lender TitleMax Hit With Hacking Incident: The parent company of subprime lender TitleMax says hackers made off the Social Security numbers and financial account information of up to nearly 5 million individuals. … The breach exposed the names, dates of birth, driver’s license and Social Security numbers of 4,822,580 people. The incident also exposed customers’ financial account information. TMX brands have come under repeated federal scrutiny for its lending practices, which typically require a customer to put a car or motorcycle up as collateral. The Consumer Financial Protection Bureau fined it $9 million in 2016 and a further $10 million in February in an enforcement action that also required TMX to refund $5 million in fees to consumers. BankInfo Security, March 31, 2023
  • The latest mass ransomware attack has been unfolding for nearly two months: The year’s second mass ransomware attack has claimed some big victims. … A slow-motion mass ransomware attack has been unfolding over nearly two months, with new victims like Procter & Gamble and a U.K. pension fund acknowledging as recently as last week that they were hit. … In all, Clop — the ransomware gang responsible for the attack, whose name is sometimes stylized as Cl0p — claims that it has hit 130 victims by exploiting a previously unknown “zero-day” vulnerability in a popular file-transfer software. The Washington Post, March 27, 2023
  • Supply chain cyberattack with possible links to North Korea could have thousands of victims globally: An attack that could be the work of the notorious Lazarus Group attempted to install infostealer malware inside corporate networks. … Researchers with cybersecurity firm SentinelOne’s SentinelLabs team traced illicit activity flagged by its detection systems back to the installation software from a company called 3CX, which according to its website provides video conferencing and online communication products to companies such as Toyota, McDonalds, Pepsi and Chevron. In total, the company says it serves some 12 million customers globally. CyberScoop, March 29, 2023
  •  ‘They outsmarted us.’ 3CX CEO acknowledges mistakes handling potential supply chain cyberattack: “We have a security team, we do our own pentesting, we’ve got software scanners, we got a CSO … Nonetheless, they outsmarted us.” CyberScoop, March 30, 2023

Two stories on the cybersecurity legal front as Dish is sued and a NY law firm is fined, both the result of poor cybersecurity practices.

  • Dish hit with investor lawsuits after cyberattack: Not that Dish Network needs any more problems, but lawsuits are piling up in reaction to the ransomware attack that shut down critical parts of its internal network last month. … On Thursday, the law firm of Levi & Korsinsky announced a class action securities lawsuit accusing Dish of making false and misleading statements related to the cyberattack. … Other class action suits were filed by Bragar Eagel & Squire, Bernstein Liebhard and New York attorney Vincent Wong. FIERCE Wireless, March 31, 2023
  • Law firm fined $200,000 over ‘poor data security’ that led to ransomware attack: New York’s attorney general has levied a $200,000 fine on a law firm representing hospitals whose sensitive files were accessed in a 2021 ransomware attack. … Attorney General Laetitia James accused the New York City-based firm, Heidell, Pittoni, Murphy & Bach (HPMB), of having “poor data security,” resulting in the leak of some 114,000 people’s information, including about their health. The Record, March 27, 2023

Medical devices will soon offer improved cybersecurity as the FDA begins implementing authority it was given last December in the omnibus appropriations bill.

  • FDA can now reject new medical devices over cyber standards: The Food and Drug Administration affirmed Wednesday that medical device manufacturers must now prove their products meet certain cybersecurity standards in order to get the agency’s approval. … The guidelines were laid out in the omnibus appropriations bill signed into law last December, which authorized the FDA to impose security requirements on manufacturers and allocated $5 million to the cause. The rules came into effect on Wednesday — 90 days after the bill was enacted. … U nder the law, manufacturers must design and release updates and patches after a product goes to market, provide a software bill of materials, and submit a plan for identifying and addressing “postmarket cybersecurity vulnerabilities.” The rules impact devices that have software and are connected to the internet, for example insulin pumps, blood sugar monitors, and certain pacemakers. The Record, March 29, 2003

Section 4 – Managing  Information Security and Privacy in Your Organization.

  • Update now if you use 3CX or GoAnywhere. Both are under active attack.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge