Liam Mayron – PSW #786
Full Audio
View Show IndexSegments
1. Generative AI Security Implications, Protecting Web Applications – Liam Mayron – PSW #786
Liam Mayron from Fastly comes on the show to talk about his unique path into information security, the security implications of generative AI, advances in technologies to protect web applications, detecting bots, and enabling better MSP services!
This segment is sponsored by Fastly. Visit https://securityweekly.com/fastly to learn more about them!
Announcements
Security Weekly listeners: Identiverse is just weeks away! Register now and join the digital identity community at the ARIA Resort & Casino in Las Vegas, May 30 – June 2. The 14th annual Identiverse will bring together over 2,500 security professionals for 4 days of world-class learning, engagement, and entertainment.
As a community member, receive 20% off your Identiverse 2023 tickets using code IDV23-SW20!
Register today: securityweekly.com/identiverse2023
Guest
Liam Mayron is a Staff Product Manager at Fastly where he focuses on security. He’s held a variety of roles at LogRhythm, Akamai, and Harris Corp. (now L3Harris Technologies). Additionally, he was an Assistant Professor at the Florida Institute of Technology where he created the Master of Science in Information Assurance and Cybersecurity degree program. He has a Ph.D. in computer engineering and is a Certified Information Systems Security Professional (CISSP).
Hosts
2. Post-Exploit, Vocal Passports, Will it Run DOOM!?!, & Coldplay Lyrics in Firmware – PSW #786
In the Security News: a cross-platform, post-exploit, red teaming framework, cover your backups, your voice should never be your passport, time to change your fingerprints, a drop in the bucket sucka, Thor will take out those pesky drones, never give your AI friends money, bye-bye PyPi for a while anyhow, bug bounties are broken, you say you want people to update routers, not-too-safe-boot, mystery microcode, Cisco listens to the podcast (they must have heard it from Microsoft), will it run DOOM?, your server is bricked, permentantly, Hell never ends on x86, and coldplay lyrics in your firmware.
Announcements
Our teams from Security Weekly and SC Media were onsite at RSA Conference 2023 delivering in-depth reporting, analysis and interviews from the conference. If you were unable to join us in person, or didn't manage to catch our video livestream from Broadcast Alley, you can access all of our RSAC 2023 coverage at https://securityweekly.com/rsac.
Hosts
- 1. Backup Repositories Targeted in 93% of Ransomware Attacks
The ransomware threat is still very much alive, with 85% of organizations having suffered from at least one such attack over the past 12 months, according to Veeam’s 2023 Ransomware Trends Report.
If this trend continues, “more organizations will suffer a ransomware attack than turn a profit,” warns the report.
Veeam also found that in 93% of ransomware incidents, the threat actors target the backup repositories, resulting in 75% of victims losing at least some of their backups during the attack, and more than one-third (39%) of backup repositories being completely lost.
The report showed that organizations are still ill-prepared to face this threat.
First, most (80%) continue to pay the ransom despite multiple advisories against it. They primarily do that to get their data back, yet 21% don’t, even after paying the ransom.
- 2. Private Sector Cybersecurity Task Force Called for to Defend Democracies
As Russia and China plow millions, if not billions of dollars, into disinformation, blackmail and bribery campaigns, Western nations need to step up and realize they are under attack.
This is according to Jessica Berlin, an independent policy and security consultant, who called for Western nations to recognize that these adversaries are playing the long game and need to step up.
“We need, from our side, the free world side, to be willing to also invest in the defense of our democracies,” she said, speaking at WithSecure’s Sphere 2023 conference in Helsinki.
She noted that there is no international security without cybersecurity and called for a private sector task force to defend democracies in general elections and public information.
Read more: White House Shifts US Cybersecurity Strategy Towards International Cooperation
From a public-private perspective, Berlin called for the cybersecurity industry to be wagging the dog of international cybersecurity policy.
She said there is a need to see companies that can be agile, test and then scale and create a toolbox to defend democracy.
“This is your key to long-term survival as a company,” she said to the Sphere 2023 audience before adding that these efforts are key to “our collective long-term survival as democracies.”
She also said companies must consider helping secure more fragile, young democracies. She later noted that creating toolboxed resources and helping protect elections in these types of nations will “build a runway” for business development in those countries and markets.
Coming from Germany, she said that progress was slow and, in some cases, cumbersome. Whereas in countries like Finland, Estonia and Lithuania, the markets can be much more agile.
“You guys are smaller markets that really punch above your weight in tech,” she said. “There’s really an opportunity here in the region to get started on projects like this, especially if you collaborate with the Ukrainians.”
Read more: Cyber-Attacks on Civilian Infrastructure Should Be War Crimes, says Ukraine Official
Having spent a lot of time in Ukraine over the past 18 months, Berlin said that the community must also be willing to take the lead and learn from the example of Ukraine in its cybersecurity response since February 2022.
She noted that this is long-term funding available from governing bodies like the European Union
- 3. Popular Android Screen Recorder iRecorder App Revealed as Trojan
The iRecorder app has been removed from the Google Play Store, but it is still available on third-party app stores, so be careful!
iRecorder – Screen Recorder, a once legitimate Android application, has now been found to harbour a dangerous Android remote access Trojan (RAT). Cybersecurity experts from ESET made this discovery, uncovering a variant of AhMyth, an open-source remote administration tool capable of extracting sensitive data from Android devices.
Initially launched in September 2021 and boasting over 50,000 installs, iRecorder – Screen Recorder appeared to be a harmless screen-recording app. However, the latest analysis by ESET has revealed the presence of a malicious code, referred to as AhRat by the researchers, within the app’s recent update to version 1.3.8 in August 2022.
- 4. Pentagon explosion hoax goes viral after verified Twitter accounts push
Highly realistic AI-generated images depicting an explosion near the Pentagon that went viral on Twitter caused the stock market to dip briefly earlier today.
Tweets with images supposedly depicting an explosion near the Pentagon building in Arlington, Virginia, were amplified by many verified Twitter accounts, including a Russian state media one with millions of followers and a verified account impersonating the Bloomberg news agency.
- 5. Online scams target bargain-hunting holiday travelers
30% of adults have fallen victim or know someone who has fallen victim to an online scam while trying to save money when booking travel, according to McAfee.
34% of those who had money stolen have lost over $1,000 before their trip has even begun, while 66% lost up to $1,000.
Too good to be true 62% of all vacationers will travel domestically this year and 42% will do so internationally. With inflation and the cost-of-living crisis, the research reveals new concerns for leisure-seekers who, in their quest for a good deal, may be more likely to fall for a scam.
With 94% of people booking travel online this year, it can be easy to get lured into a deal that’s too good to be true. In today’s economic environment, adults are more likely to seek out a bargain deal online (56%), move quickly to snap up a deal (45%), try a new booking site (35%) and even a new destination (36%), in order to save money. However, travel seekers need to stay vigilant to avoid falling for a scam.
Online travel scams can take many forms, with the research finding 14% of all adults have been tricked into making payments through fraudulent platforms and 18% have had their identity stolen when booking online. Of this portion, 7% entered passport information and 11% provided other personally identifiable information to a fake website.
- 6. Voice Cloning-as-a-Service Emerges as a New Stream in Underground World
The ever-growing boom in AI-based tools is increasingly attracting cybercriminals. Experts have observed an increase in the availability of Voice Cloning-as-a-Service (VCaaS) offerings, which power deepfake frauds. These tools and services are capable of spreading misinformation in highly effective ways and can defeat voice-based MFA systems easily.
Impersonating celebrity voices Recorded Future researchers have revealed that several attackers are offering out-of-the-box voice cloning platforms, thus, helping other cyber criminals carry out attacks effectively without any sound technical know-how. These voice-cloning tools are often intended to create fake voices of popular celebrities, politicians, and other influencers. These fake audio recordings can be used to spread disinformation or to carry out social engineering fraud. Some of these automated voice cloning platforms are being offered for free, while others cost a minimal amount of money.
- 7. Meta Fined Record $1.3 Billion and Ordered to Stop Sending European User Data to US
The European Union slapped Meta with a record $1.3 billion privacy fine Monday and ordered it to stop transferring user data across the Atlantic, the latest salvo in a decadelong case sparked by U.S. cybersnooping fears.
The penalty fine of 1.2 billion euros from Ireland’s Data Protection Commission is the biggest since the EU’s strict data privacy regime took effect five years ago, surpassing Amazon’s 746 million euro penalty in 2021 for data protection violations.
The Irish watchdog is Meta’s lead privacy regulator in the 27-nation bloc because the Silicon Valley tech giant’s European headquarters is based in Dublin.
Meta, which had previously warned that services for its users in Europe could be cut off, vowed to appeal and ask courts to immediately put the decision on hold.
“There is no immediate disruption to Facebook in Europe,” the company said.
“This decision is flawed, unjustified and sets a dangerous precedent for the countless other companies transferring data between the EU and U.S.,” Nick Clegg, Meta’s president of global and affairs, and Chief Legal Officer Jennifer Newstead said in a statement.
It’s yet another twist in a legal battle that began in 2013 when Austrian lawyer and privacy activist Max Schrems filed a complaint about Facebook’s handling of his data following former National Security Agency contractor Edward Snowden’s revelations about U.S. cybersnooping.
- 1. SKYTALKS 2023 REGRETFULLY DECLINES
But as leaders for the event, and active participants in the hacker community, we are not comfortable with our personal moral and ethical questions in asking volunteers and speakers to take what we believe are significant risks to their long term health to come and participate in Skytalks. Long COVID is still a thing, and given how many of our organizers and speakers already have other long term health issues that could be complicated by long-term COVID issues, we feel it irresponsible of us to ask them, or any of us, to assume that risk right now.
- 1. BrutePrint: Expose Smartphone Fingerprint Authentication to Brute-force Attack
Using a middleman called "Blueprint" to bypass attempt limits and hijack fingerprint images, they were able to brute-force Fingerprint Authentication on 10 representative smartphones from top-5 vendors and 3 typical types of applications involving screen lock, payment, and privacy. As all of them are vulnerable to some extent, fingerprint brute-force attack is validated on on all devices except iPhone.
- 2. Meta Fined $1.3 Billion for Violating E.U. Data Privacy Rules
Meta on Monday was fined a record 1.2 billion euros ($1.3 billion) and ordered to stop transferring data collected from Facebook users in Europe to the United States. But it remains unclear if or when Meta will ever need to cordon off the data of Facebook users in Europe. Meta said it would appeal the decision, setting up a potentially lengthy legal process. Meta faces the prospect of having to delete vast amounts of data about Facebook users in the EU. That would present technical difficulties given the interconnected nature of internet companies.
- 3. Preparing to ship the Privacy Sandbox relevance and measurement APIs
Starting in Q3 2023, Chrome will include these APIs: Topics, Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage, and Fenced Frames . The Topics API generates signals for interest-based advertising without third-party cookies or other user identifiers that track individuals across sites. Chrome will begin phase out third-party cookies in Q1 2024.
- 4. The U.S. is expanding CO2 pipelines. One poisoned town wants you to know its story
There are now about 5,300 miles of CO2 pipelines in the U.S., but in the next few decades, that number could grow to more than 65,000 miles. The expected growth in CO2 pipelines is tied to a nationwide push for more carbon capture and storage. When a pipe leaks, it can create a cloud of CO2 that can sometimes hang in the air for hours. Exposure causes a thirst for oxygen, disorientation and heart malfunction. Extreme exposures to carbon dioxide can lead to death by asphyxiation. People have ended up with long-term respiratory and brain damage.
- 5. China fails Micron’s products in security review, bars some purchases
China's cyberspace regulator said on Sunday that products made by U.S. memory chipmaker Micron Technology Inc (MU.O) had failed its network security review and it would bar operators of key infrastructure from buying from the company. The CAC neither provided details on what risks it had found nor what Micron products would be affected.
- 6. The Air Force’s new directed energy weapon is ready to blast drone swarms out of the sky
Tactical High-power Operational Responder (THOR) is a high-powered microwave counter drone weapon. During a trial, the THOR team “flew numerous drones at the THOR system to simulate a real-world swarm attack,” and THOR “was exceptionally effective at disabling the swarm".
- 7. PyPI new user and new project registrations temporarily suspended
Incident Report for Python Infrastructure: The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion.
- 8. KeePass exploit helps retrieve cleartext master password, fix coming soon
The exploit allows an attacker to steal a KeePass user’s master password in plain text from the target computer’s memory, even when the database is locked. "No code execution on the target system is required, just a memory dump. It doesn't matter where the memory comes from - can be the process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys) or RAM dump of the entire system."
- 9. Imperial College working with Royal Navy on groundbreaking system to replace GPS on ships
A new quantum compass that could replace GPS on ships has been tested on water for the first time. Military chiefs have been warning for years of the dangers of relying on GPS, due to the potential for adversaries to jam and manipulate trackers. Quantum accelerometers work by measuring how an object’s speed changes over time. It uses this velocity and the object’s starting point to calculate the new position. In order to get the precision for long periods of time, the device measures the properties of supercool atoms.
- 10. Man Scammed by Deepfake Video and Audio Imitating His Friend
Hackers using advanced AI software reportedly convinced a man in northern China to transfer 4.3 million Yuan ($622,000) to his friend, but instead directed it to a fraudulent account. In the UK, the CEO of a local energy firm wired €220,000 (approx. $243,000) to a Hungarian suppliers bank account after receiving a phone call from his supposed boss. The voice actually belonged to a scammer who used AI voice technology to replicate the boss’s voice, and the CEO told The Wall Street Journal that he recognized the subtle German accent and said it carried the “melody” of his voice. A similar attack was reported in Milwaukee.
- 11. This palm-sized PC might contain the future of gadget cooling
AirJet is a micro-electromechanical system that shoots air out of a solid-state chip, cooling with a device thinner and quieter than most fans could manage. There are vibrating membranes inside the chip. When they vibrate they create a suction force that pulls air from the top through the dust guard into the inlet vents, and then pushes it down at very high velocities.
- 12. The cyber gulag: How Russia tracks, censors and controls its citizens
Putin has harnessed digital technology to track, censor and control the population, building what some call a “cyber gulag.” An activist can't ride the subway without being recognized by facial recognition and detained. More than 610,000 web pages were blocked or removed by authorities in 2022 -– the highest annual total in 15 years — and 779 people faced criminal charges over online comments and posts, also a record. AI systems scan social networks for banned content.
- 13. Man convicted of blackmail and other offences
A UK IT Security Analyst tried to hijack a ransomware payment by altering the payment address in a blackmail email. No payment was made and the unauthorised access to the private emails was noticed. He had wiped all data from his devices just days before his arrest in order to try to hide his involvement, however the data was recovered and this provided direct evidence of his crimes.