Elephant0991

Comment

I hope nobody loses their shirt over this.

Summary

• Sensitive data exposed: Internal code, infrastructure diagrams, passwords, and other technical information were publicly accessible on GitHub for months.
• Source unclear: Unclear if an outside hacker or Binance employee accidentally uploaded the data.
• Potential risk: Information could be used by attackers to compromise Binance systems, though Binance claims "negligible risk".
• Data details: Included code related to passwords and multi-factor authentication, diagrams of internal infrastructure, and apparent production system passwords.
• Binance response: Initially downplayed the leak, later acknowledged data was theirs but downplayed risk.
• Current status: Data removed from GitHub via copyright takedown request.
• Unclear if any malicious actors accessed the data.

Key Points:

• Security and privacy concerns: Increased use of AI systems raises issues like data manipulation, model vulnerabilities, and information leaks.
• Threats at various stages: Training data, software, and deployment are all vulnerable to attacks like poisoning, data breaches, and prompt injection.
• Attacks with broad impact: Availability, integrity, and privacy can all be compromised by evasion, poisoning, privacy, and abuse attacks.
• Attacker knowledge varies: Threats can be carried out by actors with full, partial, or minimal knowledge of the AI system.
• Mitigation challenges: Robust defenses are currently lacking, and the tech community needs to prioritize their development.
• Global concern: NIST's warning echoes recent international guidelines emphasizing secure AI development.

Overall:

NIST identifies serious security and privacy risks associated with the rapid deployment of AI systems, urging the tech industry to develop better defenses and implement secure development practices.

Comment:

From the look of things, it looks like it's going to get worse before it gets better.

cross-posted from: https://zerobytes.monster/post/5063838

I guess if the law firm handles its own data breach this way; you can expect the companies to handle the breaches the same way.

Summary

The international law firm Orrick, Herrington & Sutcliffe, specializing in handling security incidents for companies, suffered a cyberattack in March 2023, resulting in the exposure of sensitive health information belonging to over 637,000 data breach victims.

The stolen data included consumer names, dates of birth, postal address and email addresses, and government-issued identification numbers, such as Social Security numbers, passport and driver license numbers, and tax identification numbers. The data also includes medical treatment and diagnosis information, insurance claims information — such as the date and costs of services — and healthcare insurance numbers and provider details.

Orrick, serving as legal counsel during security incidents at other companies, revealed that the breach also affected clients such as EyeMed Vision Care, Delta Dental, MultiPlan, Beacon Health Options, and the U.S. Small Business Administration. The number of affected individuals tripled since the initial disclosure. Orrick reached a settlement for class action lawsuits in December, which accused Orrick of failing to inform victims of the breach until months after the incident, acknowledging the incident's impact and expressing regret for the inconvenience caused. The firm did not disclose details about the hackers' entry or whether a financial ransom was demanded.

Short Summary

The macOS app called NightOwl, originally designed to provide a night mode feature for Macs, has turned into a malicious tool that collects users' data and operates as part of a botnet. Originally well-regarded for its utility, NightOwl was bought by another company, and a recent update introduced hidden functionalities that redirected users' data through a network of affected computers. Web developer Taylor Robinson discovered that the app was running a local HTTP proxy without users' knowledge or consent, collecting users' IP addresses and sending the data to third parties. The app's certificate has been revoked, and it is no longer accessible. The incident highlights the risks associated with third-party apps that may have malicious intentions after updates or ownership changes.

Longer Summary

The NightOwl app was developed by Keeping Tempo, an LLC that went inactive earlier this year. The app was recently found to have been turned into a botnet by the new owners, TPE-FYI, LLC. The original developer, Michael Kramser, claims that he was unaware of the changes to the app and that he sold the company last year due to time constraints.

Gizmodo was unable to reach TPE-FYI, LLC for comment. However, the internet sleuth who discovered the botnet, Will Robinson, said that it is not uncommon for shady companies to buy apps and then monetize them by integrating third-party SDKs that harvest user data.

Robinson also said that it is understandable why developers might sell their apps, even if it means sacrificing their morals. App development is both hard and expensive, and for individual creators, it can be tempting to take the money and run.

This is not the first time that a popular app has been turned into a botnet. In 2013, the Brightest Flashlight app was sued by the Federal Trade Commission after allegedly transmitting users' location data and device info to third parties. The developer eventually settled with the FTC for an undisclosed amount.

In 2017, software developers discovered that the Stylish browser extension started recording all of its users' website visits after the app was bought by SimilarWeb. Another extension, The Great Suspender, was flagged as malware after it was sold to an unknown group back in 2020.

All of these apps had millions of users before anyone recognized the signs of intrusion. In these cases, the new app owners' shady efforts were all to support a more-intrusive version of harvesting data, which can be sold to third parties for an effort-free, morals-free payday.

Possible Takeaways

• Minimize the software you use

• Keep track of ownership changes

• Use software from only the most reputable sources

• Regularly review installed apps

• Be suspicious about app's unexpected behaviors and permissions

Summary

• Google's proposal, Web Environment Integrity (WEI), aims to send tamper-proof information about a user's operating system and software to websites.
• The information sent would help reduce ad fraud and enhance security, but it also raises concerns about user autonomy and control over devices.
• The authors argue that implementing WEI could lead to websites blocking access for users not on approved systems and browsers.
• They express worries about companies gaining more control over users' devices and the potential for abuse.
• The authors emphasize that users should have the final say over what information their devices share.
• Remote attestation tools, like WEI, might have their place in specific contexts but should not be implemented on the open web due to potential negative consequences.
• The authors advocate for preserving user autonomy and the openness of the web, emphasizing that users should be the ultimate decision-makers about their devices.

Joke:

Two pieces of string walk into a bar. The first piece of string asks for a drink. The bartender says, “Get lost. We don’t serve pieces of string.”

The second string ties a knot in his middle and messes up his ends. Then he orders a drink.

The bartender says, “Hey, you aren’t a piece of string, are you?” The piece of string says, “Not me! I'm a frayed knot.”