EU weighs regulations on “high-risk” AI

The European Commission proposed a bill that would establish a list of high-risk uses of AI, which would be subject to new standards of development and use, including potential review of algorithms. This would apply to using AI in biometric identification systems, college admissions and loan applications, with fines of up to 6% of a company’s annual world-wide revenue. The law would also outright ban so-called “social credit systems” and AI systems that “materially distort a person’s behavior” in a way that would cause harm.

(WSJ)

DOJ forms ransomware task force

The US Justice Department formed the task force, recognizing both the growing prevalence of ransomware and saying it “jeopardizes the safety and health of Americans.” The DOJ will dedicate more resources to training for ransomware prevention and investigation, work to improve intelligence sharing on it, and identify links between criminal groups and nation-state actors. The task force will be led by Acting Deputy Attorney General John Carlin. 

(WSJ)

Facebook disrupts two state-sponsored hacking groups

The social network found both groups operated out of Palestine, with the Palestinian Preventive Security Service focusing internally and a second cyber-espionage group known as Arid Viper focused on operations outside the country. While using different techniques, both groups ultimately attempted to use Facebook accounts and posts to lure their targets on malicious sites hosting malware, usually packaged as desktop or mobile applications. Facebook had been tracking Arid Viper activity since August 2019. To disrupt operations, Facebook removed accounts, released malware hashes, and blocked domains associated with their activity, as well as notifying potentially impacted users.

(The Record)

University of Minnesota banned from submitting to Linux kernel

Linux kernel project maintainers imposed the ban on submissions from the Golden Gophers after it was discovered researchers at the institution submitted a series of malicious code commits as part of their research activities. The maintainers went so far as to revert all code commits ever coming from a @umn.edu email address. These commits will be re-reviewed to ensure they were actually a valid fix and not submitted in bad faith. The commits were used for a February 2021 research paper entitled, “Open Source Insecurity: Stealthily Introducing Vulnerabilities via Hypocrite Commits.” Researchers maintained that any patch suggestions were made through email exchanges and never made into a code branch. The University’s institutional review board approved the research as not ethically harmful. 

(Bleeping Computer)

Thanks to our episode sponsor, Palo Alto Networks

Ralph Waldo Emerson famously wrote that “It’s not the destination, it’s the journey.” For your cloud security journey, you need a reliable partner. On April 27th, Prisma Cloud by Palo Alto Networks will be hosting Spectrum, a virtual event with sessions to help you create a comprehensive cloud security strategy. Learn more at go.paloaltonetworks.com/spectrum

Signal founder examines a Cellebrite device 

In a blog post Moxie Marlinspike published details about how devices from the phone unlocking company Cellebrite work, and found the devices had numerous vulnerabilities themselves. He found the devices lacked exploit mitigation defenses, finding that a malicious app could easily add an “otherwise innocuous file in an app” which would tamper with a Cellebrite device when it attempted a scan. Marlinspike said he would share details about all vulnerabilities found on the device if Cellebrite discloses all the bugs the company uses to unlock phones. 

(Vice)

Data scraping tool exploits supposedly patched Facebook email flaw 

Security researchers at Hudson Rock tweeted details about a tool that allows a user to identify email addresses linked to Facebook accounts even if the address is not publicly shared. In a demo video, the security researcher claims they contacted Facebook about the issue, but the company said it would not address it. A Facebook spokesperson said, “It appears that we erroneously closed out this bug bounty report before routing to the appropriate team,” with the company taking initial action to mitigate the tool.  

(Motherboard)

Quanta confirms ransomware attack

The ODM laptop manufacturer and Apple supplier confirmed it fell victim to the ransomware group REvil, after the operators claimed it had breached the company on April 20th. The group claimed to have timed the disclosure to coincide with an Apple announcement when Quanta informed them it would not pay a $50 million ransom to recover stolen data. Quanta said the breach impacted a small number of servers and would not have a material impact on operations. The ransomware operators posted pictures of what appeared to be an unreleased MacBook laptop designed in March 2021, and is now saying it will publish additional pictures if Apple does not pay by May 1, 2021. 

(Bloomberg)

The most common movie passwords

Researchers at Specops analyzed over 800 million breached passwords, and found the most common movie names among the dataset. Rocky took the top stop, found in 96,000 passwords, while the 1991 film Hook showed good form coming in at number 2 with 75,000 passwords. The Matrix, Batman, and Psycho rounded out the top five. Somehow Rambo didn’t make the top 20. 

(Specops)