Archive for December 13, 2023

If You Use Dropbox, It Could Be Sending Your Data To Open AI

Posted in Commentary with tags on December 13, 2023 by itnerd

From the “like seriously??” department comes news that Dropbox may be sending your data to Open AI:

On Wednesday, news quickly spread on social media about a new enabled-by-default Dropbox setting that shares your Dropbox data with OpenAI for an experimental AI-powered search feature. Dropbox says that user data shared with third-party AI partners isn’t used to train AI models and is deleted within 30 days.

Even with assurances of data privacy laid out by Dropbox on an AI privacy FAQ page, the discovery that the setting had been enabled by default upset some Dropbox users. The setting was first noticed by writer Winifred Burton, who shared information about the Third-party AI setting through Bluesky on Tuesday, and frequent AI critic Karla Ortiz shared more information about it on X.

Ortiz expressed worries that the data might be trained secretly without consent. In its FAQ, Dropbox contradicts this claim, saying, “We won’t let our third-party partners train their models on our user data without consent.”

Either way, communication about the change could have been clearer. AI researcher Simon Willison wrote, “Great example here of how careful companies need to be in clearly communicating what’s going on with AI access to personal data.”

Yikes! That’s really bad. Now Dropbox has not provided a comment beyond the FAQ above. Thus I will be interested to see what they say and how they handle this. But if this bothers you, and it should, then here’s how you opt out of this:

Disabling the feature is easy if you prefer not to share Dropbox data with OpenAI. Log into your Dropbox account on a desktop web browser, then click your profile photo > Settings > Third-party AI. This link may take you to that page more quickly. On that page, click the switch beside “Use artificial intelligence (AI) from third-party partners so you can work faster in Dropbox” to toggle it into the “Off” position.

Dropbox better have a good reason for this because right now, this is sketchy AF as the kids say.

Leave a comment »

UK Infrastructure Unprepared For A Catastrophic Ransomware Attack

Posted in Commentary with tags , on December 13, 2023 by itnerd

In a new report, A hostage to fortune: ransomware and UK national security, UK’s House of Commons Committee explains how the UK is at high risk of a “catastrophic” ransomware attack and that the government is not prepared to deal with the threat.
 
The Joint Committee on the National Security Strategy found that “large swathes” of UK critical national infrastructure are vulnerable to ransomware because they are operating on outdated IT systems, such as the NHS which largely operates on legacy infrastructure, putting it in a “particularly difficult position to protect itself from cyber-attacks.”
 
There is “next to no” state support for most ransomware victims, and often a poor understanding of cyber among police forces largely due to minimal funding and difficulties recruiting cyber specialists as the private sector pay and career progression is more appealing.
 
The Joint Committee on the National Security Strategy set out many recommendations for the UK government to improve its ability to respond to a ransomware threat, covering responsibilities, funding and training.

David Ratner, CEO, HYAS Infosec had this to say:

   “Attacks on critical infrastructure have the potential to not just cause damage but actually impact human lives; as such, the protection of critical infrastructure should be paramount around the world.  Doing so requires not just updated IT systems and proper patching and processes, but a changed mindset of what protection really means — shifting from prevention to resiliency.  With constantly changing attacks, the only real effective strategy going forward is for critical infrastructure everywhere to adopt operational resiliency approaches to ensure continued operations.”

The UK really has to get a handle on this. Because now that this report is out there, someone is going to take a shot at pwning them. Assuming someone isn’t in the process of doing so already.

Leave a comment »

#PSA: Lightroom Classic Users Should NOT Update To macOS 14.2 Sonoma

Posted in Commentary with tags , on December 13, 2023 by itnerd

To be fair, most people who play with apps like Lightroom tend to avoid updating their OS right away. But just in case there’s someone out there who likes to live on the bleeding edge, here’s a warning for you. Adobe has put out a warning that you should not update your Mac to macOS 14.2 Sonoma.

If you read the warning, there are issues to device related workflows. Like connecting your camera to your Mac and using Lightroom to import photos. Apparently Apple and Adobe are working on fixing these issues. But I would seriously doubt that any fixes won’t be appearing to next year. Thus I would stay on macOS 14.1 for now.

Leave a comment »

GM Says It’s Ditching Apple CarPlay And Android Auto For Safety Reasons….. WTF?

Posted in Commentary with tags on December 13, 2023 by itnerd

I’ve previously covered the fact that GM is in the midst of ditching Android Auto and Apple CarPlay in favour of their own system that is built on top of Android Automotive. Which to be clear, is not the same thing as Android Auto. I’ve been watching this story for a while and the reaction to this move by GM is pretty negative. As in this will come back to haunt GM. Well, it seems that GM hasn’t figured that out as it appears that they are doubling down on making this change via this article:

Tim Babbitt, GM’s head of product for infotainment, gave MT a better explanation at a press event for the new Chevrolet Blazer EV, the flagship vehicle in the no CarPlay or Android Auto strategy (and our 2023 MotorTrend SUV of the Year winner). According to him, there’s an important factor that didn’t make it into the fact sheet: safety. Specifically, he cited driver distraction caused by cell phone usage behind the wheel.

According to Babbitt, CarPlay and Android Auto have stability issues that manifest themselves as bad connections, poor rendering, slow responses, and dropped connections. And when CarPlay and Android Auto have issues, drivers pick up their phones again, taking their eyes off the road and totally defeating the purpose of these phone-mirroring programs. Solving those issues can sometimes be beyond the control of the automaker. You can start to see GM’s frustration.

Babbitt’s thesis is that if drivers were to do everything through the vehicle’s built-in systems, they’d be less likely to pick up their phones and therefore less distracted and safer behind the wheel. He admits, though, GM hasn’t tested this thesis in the lab or real world yet but believes it has potential, if customers go for it.

Okay. Where do I start to unpack this? First of all, just because GM drops their own system into cars and ditch Android Auto and Apple CarPlay doesn’t mean that people will be less likely to pick up their phones while driving. After all, if there’s some sort of functionality that the car doesn’t do but the phone does, the driver is reaching for the phone. Full stop. Next is the “stability issues” that this GM talking head is referring to. I am going to assume that he’s talking about wireless Apple CarPlay and wireless Android Auto. And he does have a bit of a point. I’ve had the odd occasion where I had to troubleshoot issues getting new cars to work with either of those. And early implementations of either can be slow. But there’s a solution to that. It’s called a cable.

The big takeaway from this MotorTrend article is this highlights the fact that GM wants way more control over your in car experience. And in GM’s case that control includes coming up with an in car system that creates a new revenue stream for them by mining the daylights out of everything that you do in the car. But to be fair, they aren’t alone in wanting to do that. However GM seems far too keen on wanting to do this. And safety is the latest excuse for them wanting to yank features that people want because I suspect in private, they know that this move isn’t popular and they’re trying to find any possible way to get people to buy in. I think it’s safe to say that none of this is going to work for GM. And I suspect they’re going to find that out the hard way when people don’t visit their dealerships because they don’t have cars with Android Auto and Apple CarPlay.

Leave a comment »

BREAKING: Tesla Will Recall 2 Million Vehicles Because Of An Autopilot Flaw

Posted in Commentary on December 13, 2023 by itnerd

Pretty much every Tesla that has ever been made in the US is being recalled to fix a flaw in Autopilot. According to a National Highway Traffic Safety Administration notice, the recall affects 2,031,220 Teslas, including the Model S, Model X, Model 3 and Model Y. And here’s what’s going to be addressed:

In certain circumstances when Autosteer is engaged, if a driver misuses the SAE Level 2 advanced driver-assistance feature such that they fail to maintain continuous and sustained responsibility for vehicle operation and are unprepared to intervene, fail to recognize when the feature is canceled or not engaged, and/or fail to recognize when the feature is operating in situations where its functionality may be limited, there may be an increased risk of a collision.

Keep in mind that Tesla has had its Autopilot system under scrutiny for years as investigators suspect the Autopilot feature is the cause of several crashes across the country, some of which have resulted in deaths of both drivers and pedestrians. Thus this was coming for a while. Also keep in mind that 360,000 Teslas that have their full self driving feature were recalled in February. Which is also not a good look for Tesla. Finally, I am pretty sure that this will expand to other countries. Meaning that Tesla will be having not only a very bad day, but a bad holiday season because of this. And Elon Musk being the less than fully functioning adult that he is will be raging on Twitter because of this.

Leave a comment »

New BazarCall Attack Variant Discovered: Threat Actors Leverage Google Form With Call-Back Phishing

Posted in Commentary with tags on December 13, 2023 by itnerd

Abnormal Security has revealed its discovery of a novel BazarCall phishing attack variant that incorporates using Google Forms to increase the appearance of legitimacy and elevate the perceived authenticity of the initial malicious emails. The new attack report demonstrates an email sent by threat actors as part of the phishing attack with a real-world example of a Google Form with details similar to those used in a traditional BazarCall attack. 

BazarCall/BazaCall, aka call-back phishing, is a remarkably sophisticated strategy attack type that gained notoriety in 2020 due to its abnormal method of distributing malware – manipulating victims to interact with the attackers through a simple phone call. BazarCall attacks typically start with a phishing email designed to appear as a payment notification or subscription confirmation from a known brand. 

The attacker creates a Google Form and adds details about the fake transaction, including an invoice number and date, method of payment, and information about the product or service that was purportedly purchased; enable the response receipt option on the Settings tab and send the invitation to complete the form to themselves. When the invitation arrives, the attacker clicks the Fill Out Form button, which opens the Google Form. 

You can read all the details here.

2 Comments »

VISO TRUST Shared Assessments Licensing Lets Risk Professionals Expand Assessments Scope Immediacy

Posted in Commentary with tags on December 13, 2023 by itnerd

VISO TRUST reaffirms its commitment to staying at the forefront of cybersecurity innovation by announcing the licensing of the 2024 Shared Assessments Standardized Information Gathering (SIG) Questionnaire for its state-of-the-art platform.

The Shared Assessments SIG Questionnaire is renowned across industries for its role in standardizing third-party risk information. From vendor artifacts and evidence, and with no need for human interaction, the VISO TRUST platform delivers:

  • Questionnaire-free assessments;
  • Full auto-population of the Shared Assessments SIG;
  • Uploading and full auto-population of every TPRM questionnaire, including custom questionnaires;
  • Unprecedented speed of completion of third party and Nth party assessments.

Automatically populating the SIG or any custom questionnaire from vendor artifacts and evidence, without requiring human interaction, empowers risk professionals in numerous ways. For example, it equips them to:

  1. Focus on the more strategic aspects of their mission,
  2. Expand their program’s scope to include analysis of both vendors and partners who are currently identified as high risk, and also analyze and more fully understand cyber risks presented by the broader array of their ecosystem vendors,
  3. Identify high-risk vendors with up to 500% greater accuracy,
  4. Rapidly achieve new levels of TPRM program maturity,
  5. Give senior management a new holistic perspective on vendor risk, and
  6. Alert senior management immediately on “red flags” presented by potential partners and acquisition targets, the “blast radius” and potential organizational impacts arising from partners who are experiencing security events, equip them to quickly and more completely respond to TPRM-related questions and issues raised by their Board or stakeholders.

Developed with input from 300 CISOs, the VISO TRUST Platform is relied upon by many of the largest and most mature companies, contains more than 2.4 million companies in its vendor database, recognizes more than 25 security frameworks, and leverages hundreds of different types of source artifacts.

The Shared Assessments SIG Questionnaire is revered for its thorough coverage of risk areas, enabling organizations to conduct comprehensive assessments of third-party cybersecurity. With its incorporation into VISO TRUST’s AI-powered TPRM platform, users gain the advantage of a holistic perspective on vendor risk, allowing for informed decisions with unparalleled precision.

VISO TRUST’s patented Artifact Intelligence supports any framework including the Shared Assessments framework but can also automatically complete SIG questionnaires using existing security program artifacts and evidence, and provide questionnaire-less assessments. Furthermore, it can enrich any completed SIG questionnaire to generate a comprehensive risk assessment without requiring user intervention.

Inclusion of the 2024 Shared Assessments SIG Questionnaire reflects VISO TRUST’s leadership in setting industry standards through the application of AI and adherence to best practices. This milestone further solidifies VISO TRUST’s position as an AI innovative leader in the TPRM arena and the frontrunner in cyber risk management.

For more information about VISO TRUST and its AI-powered TPRM platform, please visit www.visotrust.ai.

Leave a comment »