ChatGPT Under Investigation By The Canadian Privacy Commissioner… Though It Has Other Issues Elsewhere

Posted in Commentary with tags on April 5, 2023 by itnerd

The new hotness in AI known as ChatGPT is now under investigation by the Canadian Privacy Commissioner because of a complaint alleging the company is collecting, using, and disclosing personal information without proper permission:

“AI technology and its effects on privacy is a priority for my Office,” Privacy Commissioner Philippe Dufresne says. “We need to keep up with – and stay ahead of – fast-moving technological advances, and that is one of my key focus areas as Commissioner.”

The investigation into OpenAI, the operator of ChatGPT, was launched in response to a complaint alleging the collection, use and disclosure of personal information without consent.

As this is an active investigation, no additional details are available at this time.

Well, I suppose that it could have been worse. Though it still could be as Italy has banned ChatGPT:

Last week, the Italian Data Protection Watchdog ordered OpenAI to temporarily cease processing Italian users’ data amid a probe into a suspected breach of Europe’s strict privacy regulations.

The regulator, which is also known as Garante, cited a data breach at OpenAI which allowed users to view the titles of conversations other users were having with the chatbot.

There “appears to be no legal basis underpinning the massive collection and processing of personal data in order to ‘train’ the algorithms on which the platform relies,” Garante said in a statement Friday.

Garante also flagged worries over a lack of age restrictions on ChatGPT, and how the chatbot can serve factually incorrect information in its responses.

The part about it serving up factually incorrect info is a problem with ChatGPT. Take for example this from Philip N Cohen who is a Sociologist and demographer at the University of Maryland via Mastodon:

Serious question: Can you sue an AI for this?

In any case, this is a huge problem for the makers of ChatGPT who is OpenAI, and those who back it. This combined with the fact that it appears to hoover up your data makes this tool problematic. Thus I would not be at all surprised if more countries crack down on ChatGPT in some way, shape, or form. That brings me to another point, what happens if you’re a company who’s integrated ChatGPT into your products? What then? That’s an interesting question that I think we’re going to find out what the answer is shortly.

Leave a comment »

BlackFog Releases Their State of Ransomware Report For March 2023

Posted in Commentary with tags on April 5, 2023 by itnerd

BlackFog today released the State of Ransomware report for March 2023. And Dr. Darren Williams, CEO and Founder, BlackFog had this commentary on the report:

     “March witnessed a total of 28 ransomware attacks. While lower than January and February, this still represents a 4-year high, with a 12% increase over previous years. Most notably we continue to see the flow of effects from unreported attacks. March saw 1,403% of attacks going unreported, up from 478% and 543% in January and February respectively. Nearly a 3-fold increase from previous months.

March also saw Education increase its lead as the most targeted sector, increasing by more than 53%, with 26 attacks for the year, followed by government and healthcare with increases of 33% and 13% respectively.

LockBit continues to dominate as the key ransomware variant with 24.3% of reported attacks and 41.4% of unreported attacks. It should be noted that the sheer volume of unreported attacks this month was dominated by LockBit, and we expect this to be reflected in the disclosed attacks over the coming months. Similarly, both CLOP and Royal were highly leveraged in unreported attacks with 11.4% each.

Lastly, we note that it is now becoming less common for attacks to remain unclaimed as ransomware gangs seek notoriety, with only 14% unclaimed this month. We have also seen continued use of data exfiltration in more than 88% of attacks, with March witnessing a significant increase in the use of illegal networks, up 14% to 94% since February.”

Today’s full report can be found at: https://privacy.blackfog.com/wp-content/uploads/2023/04/BlackFogRansomwareReport-Mar-2023.pdf

Leave a comment »

Elon Musk Takes Out Flipboard’s Access To Twitter

Posted in Commentary with tags , on April 5, 2023 by itnerd

It’s becoming clear that Elon Musk is walling off Twitter to make it an echo chamber that he completely controls. About the same time that this happened to WordPress, Flipboard’s access to Twitter was cut off:

Twitter, once a public square for ideas, is closing the free flow of information and has shut its gates to other platforms, including Flipboard. If you had connected your Twitter hashtags or feeds to Flipboard, you’ll notice those are no longer working. You may see gray tiles or broken links. Unfortunately, without access to the Twitter API, we can’t do anything to fix these issues.

As an alternative to the Twitter hashtags or lists you followed, consider following Flipboard Topic feeds. There are over 30,000 of them, on everything from #artificialintelligence to #twitter itself. They are high-quality feeds with little noise, delivering stories from trusted sources 24/7. Just use search to find what you’re interested in, follow the Topic, and comment on stories or share with others on Flipboard. 

Looking ahead, as Twitter continues to alienate its users, the next wave of social media will be on open platforms like Mastodon. Every day more and more people join Mastodon and we are there as well. If you already have a Mastodon account, be sure to follow Flipboard. If you want to explore this fast growing social platform, apply for a Mastodon account at flipboard.social. Once you have an account, connect it to your Flipboard, just like you had connected Twitter.

That response suggests to me that Flipboard isn’t going to play nice with Elon. Nor should they as appeasing bullies only emboldens them. Elon as I have said many times before has completely lost the plot here. And it will cost him more than the $24 billion that he’s lost so far. He’ll be exposed for the charlatan that he is, and I along with many others will be there to laugh in his face.

Leave a comment »

Do You Need A VPN? It Depends…

Posted in Commentary with tags on April 5, 2023 by itnerd

You’ve likely seen ads on line or via your favourite YouTuber saying that you need a VPN. And those ads make all sorts of claims about what they do. But the question is, do you need a VPN? Well, the answer is a bit complicated. So instead of giving you a yes or no answer, I’m going to walk you through all the various claims that VPN companies make to give you the information that will allow you to make a decision if a VPN is right for you.

First, let’s talk about what a VPN is. A VPN creates an encrypted connection between your device and a remote server operated by a VPN service. All your internet traffic is routed through this tunnel to the server, which then sends the traffic off to the public Internet as usual.Any traffic coming into your device is routed in a reverse manner. Because it’s encrypted, nobody can see what the traffic is until it exits the server and enters the public Internet. Which is why VPNs appeal to some people.

The next thing that I will do is to deal with if you even need to pay for a VPN. I say that because some home router companies make it possible for you to create your own basic VPN if you have their router hardware that supports a VPN. I’ll use ASUS as an example as that is what I presently have at home. They have their “WireGuard” VPN feature that is built into many of their routers if your firmware is new enough. And they have documents that describe how to set it up on the router end, as well as the client end. In my mind, this is meant for people who have the time to tinker with stuff like this to get things working properly rather than the average end user, and have very basic needs. But the advantage of creating your own VPN is that this is a $0 option that gets you some but not all of the benefits of a commercial VPN. More on that in a bit.

Speaking of the benefits of a commercial VPN that you often hear about, let’s walk through those and detail the facts behind them:

  • A VPN will make you anonymous on-line: This is sort of true. I say sort of because of the fact that a VPN makes it more difficult but not impossible for your on line activities to be seen by others. Your ISP for example may make a ton of money by selling information about what you do online. And a VPN may stop them from profiting from your surfing habits. But advertisers on the other hand have way more ways to track your activities online such as using digital fingerprinting or browser fingerprinting to do that. That means that a VPN may not fully help you to be invisible online.
  • A VPN will protect you against malware and spyware: Frankly if you have up to date security software on your computer, I cannot really see how a VPN would add any additional value in this use case.
  • A VPN will keep you safe from other online threats: This isn’t exactly true. The main threats that you have to worry about online besides spyware and malware are pop up scams, social engineering scams, and phishing sites. A VPN will not address any of that. A better strategy to avoiding those threats is to use a DNS service such as Canadian Shield which will reduce the possibility that you will get hit by malware, pop up scams, and phishing scams by blocking them before they hit your computer as long as those threats are known to that service. Plus I will note that some routers have built in security software to do the same thing, along with the protection that modern web browsers have. Thus I have difficulty seeing how VPNs add value in this use case.
  • A VPN will hide your BitTorrent activity: This is likely true if you’re the sort of person who is into “acquiring” copies of movies using this less than legal method. Your ISP is unlikely to see that you’re torrenting. But they will be able to see that you’re using a significant amount of bandwidth. Which means you may still get a email from your ISP complaining about your activities.
  • A VPN will protect you if you use public WiFi: This is true. Coffee shop or hotel WiFi can be simply sketchy or really sketchy. For example, I’ve come across man in the middle attacks in a big name coffee shop chain here in Canada. My assumption is that they were sniffing traffic to figure out what you were doing so that they can either block it or sell that info. Perhaps both. And there’s nothing stopping a threat actor from setting up a fake WiFi network in a coffee shop to steal your information. Never mind a threat actor hacking a WiFi network to do the same thing. Thus using a VPN will help you to stay safer when you’re away from home.
  • A VPN can help you to bypass censorship: This is largely true. VPNs are often the go to method to get access to news, information, as well as using apps that may not be legal in a given country. The catch is that in any country that has censorship in place, it’s often illegal to use a VPN to get access to news, information, or to use an app that isn’t legal in whatever country we’re talking about. Plus you might not be able to use a VPN at all as the government may have means in place to stop that from happening.
  • A VPN can help you to get access to streaming content that you can’t get in your country: This is largely true. VPNs have been used for a very long time to get access to content such as the British version of Netflix or Hulu if you live outside the US. The thing is that streaming services know many people use VPNs to access their content in ways that they don’t like and actively work to prevent it. Thus you should be advised that this might work until it doesn’t.
  • A VPN can make it look like you’re in another country: This is true. A VPN can make it look like you’re someplace else. That can help you to unlock streaming content for example. Or bypass censorship.

Now I want to circle back to the third paragraph about creating your own VPN. While that can be an option for some, it doesn’t give you the ability to do the last three things on the list above. So if you want to do your own VPN you should keep that in mind if any of that matters to you.

The final point that I want to cover is if you can trust your VPN provider. Many VPN companies have a “no logs” policy. That means that they don’t track your online activities. Or at least they say that they don’t. But besides the fact that a VPN provider may be compelled to hand over info to law enforcement or a government, there’s a bunch of other things to consider:

  • Since VPN providers see everything you do online, there is nothing stopping them from selling that data.
  • It could inject ads into the websites you view.

My advice on that front is that when you choose a VPN provider, you should look for third party auditing that is easily found for your VPN provider as well as clear privacy policies that spell out what they do and don’t do so that you can make an informed decision as to if they are the right choice for your needs.

So based on that, I would say whether you need a VPN or not depends on your use case. There are legitimate uses for a VPN, and there are reasons where having a VPN would make no difference in your life. You’re going to have decide which side of the fence that you’re on and whether a VPN would be worth it for you. Hopefully this has been helpful to you, and if you have any questions, leave a comment below and I will do my best to answer them.

Leave a comment »

It Appears Elon Musk Broke The Ability For WordPress Sites To Post To Twitter For 24 Hours

Posted in Commentary with tags , on April 5, 2023 by itnerd

As many of you know, I no longer post on Twitter because what a clown show that it has become. But when I did, I used functionality built within WordPress called the Jetpack Social tool to do it. Well, it’s a good thing that I don’t post on Twitter as apparently Elon broke support for the Jetpack Social tool on April 3:

On April 3, Twitter suspended WordPress.com’s access to the Twitter API without warning. As a result, Jetpack Social — the built-in tool that we use to auto-share your posts to social media — is currently broken for Twitter. This means that auto-posting to Twitter via WordPress.com is not actively working. 

Thankfully, this issue is isolated to Twitter, which means that Jetpack Social connections to other platforms are unaffected. Rest assured that you can continue sharing to Tumblr, Facebook, and LinkedIn without interruption.

But then the next day this happened:

The earlier reported outage has been resolved. Twitter is working again for Jetpack Social and all other functionalities that depend on Twitter. All Jetpack Social connections to Twitter, Tumblr, Facebook, and LinkedIn can be used as usual. 

We are working with Twitter directly to ensure this service keeps running without interruption.

You have to wonder if WordPress paid Elon to get functionality working again. We’ll never know for sure. But the fact is that if you rely on some piece of code to do something that is related to Twitter, it may break without warning. hat alone should make you reconsider your relationship with the platform. Especially if you’re a company or someone who is trying to promote themselves.

2 Comments »

Repeat Ransomware Victims Are On The Rise Says Report

Posted in Commentary with tags on April 5, 2023 by itnerd

The 2023 Ransomware Insights report published by Barracuda Networks focused on an interesting fact: Pay the ransom, get hit again. Their study showed that while 31% of organizations hit just once with a ransom attack had paid the ransom, 34% of those hit twice had paid the first time and 42% hit three or more times had paid the other times. Quite the trend.

Of the respondents, targets that paid the ransom to restore their data: 

  • 31% got hit once
  • 34% of those were hit twice 
  • 42% of those were affected three times or more

Multiple attacks reported by sector include: 

  • 53% Energy, oil/gas, and utility firms
  • 46% of financial services
  • 29% healthcare

“The relatively high proportion of repeat victims suggests that security gaps are not fully addressed after the first incident.” said Fleming Shi, CTO, Barracuda.

And with 27% of organizations not feeling fully prepared for a ransomware attack, the report brings into question the effectiveness of cyber insurance. 

Hit by a ransomware attack:

  • With Insurance – 77% hit
  • No Insurance – 65% hit
  • 39% of the companies with cyber insurance paid the ransom
  • 22% of organizations without cyber insurance paid the ransom
  • 70% of organizations that were affected by multiple attacks had cyber insurance

Christopher Peacock, Principal Detection Engineer, SCYTHE has this comment:

   “The conclusion section of the report has two critical highlights I see for protecting against the deployment of ransomware. The first point is to patch public-facing vulnerabilities, which means organizations must first identify what services are public facing to the internet. 

   “The second point says, “The release of ransomware is often the final stage of attack and can be preceded, for example, by lateral movement, data exfiltration, the installation of additional tools, and more. If you can detect and block the attack at these earlier stages, you might be able to prevent the full impact of the ransomware.” Though prevention is ideal, we see actors continue to get through the cracks, so organizations must have robust alerting capabilities for the precursors before the ransomware deployment. Furthermore, alerts aren’t helpful unless they trigger a response, so having a process to verify that process for common ransomware precursors is paramount.

   “This approach was recently highlighted in the Red Canary Yearly Report in their statement, “We focus on trying to detect ransomware precursor activity in the initial access, reconnaissance, and lateral movement phases and help our customers stop it before it gets to exfiltration or encryption. The result is that we see many more so-called ransomware precursors than we do actual ransomware payloads.” 

Morten Gammelgaard, EMEA, co-founder, BullWall follows up with this: 

   “The Barracuda Ransomware Insights report suggests that paying the ransom doesn’t prevent future attacks, and in fact industries like energy, financial services, and healthcare are still more prone to suffer from multiple attacks. 

   “Companies can learn from this report by prioritizing their cybersecurity measures, improving their security posture and having a proactive approach to security. Cyber insurance is not a guarantee, and in fact may be encouraging attacks. Companies should have an incident response plan in place and run regular attack simulations to be prepared. Finally, organizations should collaborate with industry peers and share best practices to stay ahead of cyber threats.”

The best defence from being pwned ransomware is not to get pwned. But if you do get pwned, you need to make sure that you get pwned again. It really looks bad on any organization that is in that position, which means that you should not be that guy.

Leave a comment »

Elon Musk Is In Deep Trouble With Germany As Twitter Is About To Get Slapped For Not Taking Down Hate Speech

Posted in Commentary with tags on April 4, 2023 by itnerd

Elon, the legal consequences may be about to start hitting you while you do stupid stuff like change the Twitter symbol to the Dogecoin symbol. Germany is about to slap him silly:

In an early FAFO test for Elon Musk, Germany could be set to fine Twitter for repeatedly failing to comply with a social media hate speech takedowns law, aka the NetzDG, which requires swift removal of illegal content like hate speech.

The Federal Justice Office (BfJ) announced the move in a press release today — saying it’s instigated a proceeding under the country’s Network Enforcement Act (aka, NetzDG) after establishing there are “sufficient indications of failures” in the platform’s complaint management processes.

Under the NetzDG, social media platforms must response to user reports of illegal content, checking what’s been reported and removing content if it confirms it’s illegal, within seven days — or 24 hours for the most obviously illegal stuff. What’s illegal is governed by Germany’s criminal code, which includes hate speech, abuse and threats, and antisemitism.

“Numerous pieces of content was reported to the BfJ that was published on Twitter, which the authority considers illegal and, despite user complaints, was not deleted or blocked by the provider within the legally stipulated periods. The fine proceedings initiated are based on this,” the BfJ said in a statement (which we’ve translated from German with machine translation).

“In the case of individual violations by providers of social networks, of the inspection and deletion obligations in the NetzDG, it cannot generally be assumed that there is no effective procedure for dealing with complaints about illegal content. However, a systemic failure of complaint management is subject to fines, which occurs when violations of the relevant specifications of the NetzDG occur repeatedly in a timely manner and in a manner that is relevant to the subject.”

The Office said the content it’s acting against Twitter over is “closely related in terms of time and substance” — indicting a “systemic failure in the provider’s complaint management”. “They were published on Twitter over a period of around four months and reported to the provider of Twitter as illegal by users,” it added. “All content contains similar, unjustified, defamatory statements of opinion, all directed against the same person. According to the BfJ, they constitute an offence.”

On paper, Germany’s NetzDG law allows for fines up to €50 million for breaches of the regime.

My guess is that the Germans are going to make an example of Elon because they can. Not to mention that Elon isn’t even trying to deal with hate speech. In fact by all reports, it’s out of control on Twitter. So this is going to be a slam dunk for the Germans. And you have to wonder how Elon who is less Tony Stark and more Johnny Knoxville will handle this situation.

Place your bets now.

Leave a comment »

Jscrambler Threat Monitoring Now Available in Splunk Marketplace

Posted in Commentary with tags on April 4, 2023 by itnerd

Jscrambler, the leading solution for JavaScript protection and real-time webpage monitoring, today announces the integration of Jscrambler’s Threat Monitoring to the Splunk marketplace. Through a partnership between Jscrambler and Splunk, organizations can now integrate Jscrambler’s code integrity solution into their Splunk instance, providing them with more visibility into their web applications’ code integrity and a powerful tool to help them stay ahead of potential client-side cyber threats. 

Splunk is a leading data analytics and visualization platform that helps organizations monitor, analyze and visualize their machine data. Splunk’s customers include some of the world’s largest and most complex organizations, spanning a wide range of industries, including healthcare, finance and government. 

Jscrambler’s code integrity solution provides an effective way to protect web and mobile applications against tampering, reverse engineering and code injection attacks. By integrating Jscrambler into a Splunk instance, organizations can monitor the security of their applications in real-time and quickly identify any suspicious activity that may be indicative of a potential client-side  attack. The Jscrambler Threat Monitoring Splunk app enables real-time notifications for any code tampering, reverse engineering or code injection attacks detected by Jscrambler, helping organizations stay one step ahead of potential threats. 

Find out more at: https://jscrambler.com/ or check out their listing on the GitHub Marketplace.

Leave a comment »

A Simple Developer Mistake Could Have Led To Bing.com Takeover

Posted in Commentary with tags on April 4, 2023 by itnerd

Discovered by the Wiz cloud security firm and dubbed BingBang, this vulnerability allowed researchers to change the top results in Microsoft’s Bing search engine and access any user’s private files by simply logging into an unsecured web page.

The vulnerability is centered on the Microsoft Azure Active Directory and would allow any Azure user in the world to log into it without proper credentials. All it took was a misconfigured app.

In this case it was the Bing trivia app:

After recognizing these issues and their potential impact, the researchers started scanning for vulnerable applications (multi-tenant apps lacking proper validation) on the internet. The results were shocking – approximately 25% of the multi-tenant apps they scanned were vulnerable.  

Most surprisingly, the list included an app made by Microsoft itself, named “Bing Trivia.”
Because this app was misconfigured, the researchers were able to log in to it with their own Azure user.

To verify that this CMS was indeed controlling Bing’s live results, they selected a keyword in the CMS and temporarily altered its content. They chose the “best soundtracks” search query, which returned a list of highly recommended movie soundtracks.

They then proceeded to change the first result, “Dune (2021),” to their personal favorite, “Hackers (1995),” and pushed it to production. Their new result, complete with their title, thumbnail, and arbitrary link, immediately appeared on Bing.com.

Researchers then found they could run Cross-Site Scripting (XSS) attacks, and since Bing and Office 365 are integrated, an attacker could access Bing users’ Office 365 data, including Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. The researchers reported the flaw to Microsoft and it was patched shortly afterward, resulting in a $40,000 bug bounty reward.

Brad Hong, Customer Success Lead, Horizon3.ai had this to say:

   “The BingBang incident is a reminder that passwords and simple misconfigurations are still the number one attack vector for attackers. Seemingly arbitrary in nature, it can have severe consequences on an organization’s security posture. In this case, a misconfigured application made it possible for researchers to not only gain access to Microsoft’s Azure Active Directory without proper credentials, but then from a privileged perspective chain together and execute exploits on additional vulnerabilities after making their way into the castle.

   “Incidents like this validate why the industry is moving away from vulnerability models and into exploitability management, as the misconception is dispelled that attackers are looking to execute zero days, but rather the easiest ways to get in. It additionally highlights the necessity to continuously attack your own infrastructure to identify as the organization’s offerings and architecture change, new or extended vulnerabilities that can be leveraged to get in. It’s also a great reminder that as the world begins to consolidate software offerings, that linkages created between them in the name of convenience and accessibility can also become its greatest downfall.”

Luckily this was caught by a team of security researchers rather than threat actors, otherwise this could have gone very, very sideways. This goes to prove that anyone can screw up and everyone needs to be on their toes when deploying code into a public facing environment.

Leave a comment »

TMX Data Breach Affects nearly 5 million US Customers 

Posted in Commentary with tags on April 4, 2023 by itnerd

TMX Finance and its subsidiaries TitleMax, TitleBucks, and InstaLoan announced a data breach that affected more than 4.8 million customers from 1,000 consumer lending outlets across the US. The data stolen included dates of birth, passport #s, driver’s license #’s, federal/state ID #’s, , SSN’s and financial account information.
 
In a data breach notification letter TMX informs that the breach was discovered on February 13th, 2023, and hackers had been in its systems since early December, 2022 with information stolen between February 3rdand 14th, 2023.
 
TMX has implemented endpoint protection and monitoring and reset all employee account passwords and believes the security incident has now been contained.

Ted Miracco, CEO, Approov had this to say:

   “Unfortunately, data breaches like the TMX security incident are far too common in today’s digital age, and reckless companies often fail to take adequate measures to prevent them, as they rely on their insurers to pay the bill to clean things up. When these security incidents occur, it is often the customers and users who suffer the consequences, as their personal and sensitive information can be compromised, leading to identity theft, financial loss, and other types of harm.

   “While some companies take security seriously and implement measures to prevent breaches, others prioritize profits over security, which can lead to careless behavior and a lack of investment in security infrastructure. In some cases, companies may even attempt to minimize or cover up security incidents, leaving victims in the dark about the full extent of the damage.

   “This highlights the need for stronger regulations and penalties to hold companies accountable for data breaches and other security incidents, and to ensure that they are taking adequate measures to protect their customers’ information. Companies must understand the gravity of the situation and prioritize security over profits to protect their customers’ information and prevent potential harm.”

The fact that TMX is only now implementing “endpoint protection and monitoring” is a big hint that this was the likely gateway for the threat actors. Thus if you’re responsible for protecting your environment from threats like this, you might want to make sure that this box is checked.

Leave a comment »

« Older Entries
Newer Entries »