Hidden Buttons, Dumb Password Rules, BLE Relay Attack, & Stealthy UEFI – PSW #775

Nothing to see here...please move along.

“When it comes to disinformation, the Pentagon should not be fighting fire with fire,” says Chris Meserole, head of the Brookings Institution’s Artificial Intelligence and Emerging Technology Initiative. Um, it's kinda what we do.

The claim as to "why" is simply, "the failure to consider privacy and data protection from the earliest product design stage." I think there's more to it than that, but then again...maybe that's a good place to start.

The Federal Trade Commission (FTC) is on a roll in its efforts to signal to the digital health industry that data privacy must be a priority. The FTC announced a consent decree with BetterHelp on March 2, 2023, to settle claims that the online mental health treatment company engaged in unfair and deceptive trade practices when it made website visitor information available to third parties for marketing and advertising purposes. The settlement highlights the growing risk associated with the use of third-party cookies and pixels on websites for companies that offer health services.

Efforts to enact laws and regulations that impose greater responsibility on the technology sector aren’t likely to come quick or easy.

The newly released U.S. Cybersecurity Strategy points to more regulation in more places, and yet compliance alone doesn't seem to work. Is there a middle ground? or a different approach altogether?

Does this surprise anyone?

Here's the actual report - and I didn't even have to submit any PII to get it!

Of course they are.

A group of researchers has achieved a breakthrough in secure communications by developing an algorithm that conceals sensitive information so effectively that it is impossible to detect that anything has been hidden. A secret message can be concealed inside another message that is random, or readable text produced by AI. The modified message has identical statistical properties as the unmodified one; so no statistical test can detect the hidden message.

AI simply finds patterns in text and extrapolates from them. This is not how humans learn language at all, because humans reason about meaning and use language to express concepts, using concepts like truth and morality. This means that AI will be far less useful than its enthusiasts predict, because it is profoundly stupid.

The RTF parser in Microsoft Word has a heap corruption vulnerability that is triggered “when dealing with a font table (fonttbl) containing an excessive number of fonts (f###).” A Proof-of-concept exploit is small enough to fit in a Tweet. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds.

People are using ChatGPT for business tasks. In one case, an executive cut and pasted the firm's 2023 strategy document into ChatGPT and asked it to create a PowerPoint deck. In another case, a doctor input his patient's name and their medical condition and asked ChatGPT to craft a letter to the patient's insurance company. The problem is that ChatGPT remembers requests and can repeat them back later to threat actors who perform training data extraction attacks".

Water purification systems installed in two ice machines in a Boston hospital were supposed to make the water taste and smell better for patients on a surgery floor—but it ended up killing three of them. Because it stripped chlorine from the municipal tap water, it allowed bacteria normally found at low levels to flourish and form biofilms inside the machines.

The headline is FUDdy. The point is that there's a "Start my Security Checkup" button in Gmail that guides users through five steps to do things like adding account recovery options, setting up 2-Step Verification for extra account security, and checking your account permissions.

Two new laws passed in the EU last year: the Digital Services Act (DSA) and the Digital Markets Act (DMA). They will force changes to content moderation, transparency, and safety features on Google, Instagram, Wikipedia, and YouTube over the next six months. The largest companies, with over 45 million active monthly users in the EU (or roughly 10% of EU population), are called “Very Large Online Platforms” (or VLOPs) or “Very Large Online Search Engines” (or VLOSEs) and will be held to the strictest standards of transparency and regulation. They will be required to assess risks on their platforms, like the likelihood of illegal content or election manipulation, and make plans for mitigating those risks with independent audits to verify safety.

This extension collects cookies from the browser, to help people download YouTube videos. But it sent those cookies to the developer for months before finally being removed from the Chrome Web Store. This Reddit thread shows how the malicious action was detected and dealt with.

The authors applied a novel attack against ECDSA to datasets we found in the wild, including the Bitcoin and Ethereum networks. ECDSA signatures use a nonce, which should be random, but in practice is often generated by a weak pseudorandom number generator. If the nonces used for several signatures with the same private key are related by a simple polynomial, the private key can be extracted from the signatures. The authors found 762 Bitcoin private keys and found that a threat actor had already stolen the Bitcoin from those accounts.

On Monday, Twitter was broken; users could not open links or view images. This was caused by an API change, intended to shut down free access. Elon Musk has laid off so many staff, only one site reliability engineer was on the project. On Monday, the engineer made a “bad configuration change” that “basically broke the Twitter API”. Elon Musk was furious. This was at least the sixth high-profile service outage at Twitter this year.

On Monday, Microsoft bundled ChatGPT-style AI technology into its Power Platform developer tool and Dynamics 365, Reuters reports. Affected tools include Power Virtual Agent and AI Builder, both of which have been updated to include GPT large language model (LLM) technology created by OpenAI. Power Platform is a development tool that allows the creation of apps with minimal coding. Dynamics 365 Copilot automates certain "tedious tasks," such as manual data entry, content generation, and note-taking.

The SHA-3 code approved by NIST contains a buffer overflow vulnerability caused by an integer overflow. It affects all software projects that have integrated this code, such as Python and PHP. The root of the problem is a mixture of 64-bit and 32-bit integers in the calculation.

Microsoft discovered that an old version of the SHEIN Android application periodically read the contents of the Android device clipboard and, if a particular pattern was present, sent the contents of the clipboard to a remote server. To prevent such unsafe practices, several improvements have been added to Android: only allowing the foreground app to access the clipboard, displaying a message the first time an app uses the clipboard, and clearing the clipboard after a period of time.

Police were investigating his neighbor. A judge gave officers access to all his Ring security-camera footage, including inside his home. There's an overly close relationship between Amazon Ring and police, and it's disturbing that such an overly-broad search warrant was approved. “They are part of an ever-expanding web of surveillance in communities across America,” Sen. Ed Markey (D-Mass.) said in a statement to POLITICO about Ring’s products. “I’ve been ringing alarms about this company’s threats to our privacy and civil liberties for years.”

Why do Large Language Models such as ChatGPT produce wrong answers? They are merely extrapolating from the input you enter. If your input sounds fantastic or fictional, they write fiction in the same genre. And even if your input is neutral, they only find the most common result in their training data, without regard to its truth. Adding resources and more training only males the model more efficient at finding and repeating common misinformation.

Joe Biden gave federal agencies 30 days to remove TikTok from government devices, but federal agencies must also “prohibit internet traffic from reaching the company.” Some 28,251 apps use TikTok’s software development kits, (SDKs), tools which integrates apps with TikTok’s systems—and send TikTok user data—for functions like ads within TikTok, logging in, and sharing videos from the app. A simple ban on the TikTok app itself is not going to stop data flowing to TikTok.