Cyber Security Headlines: Microsoft leaks AI data, UK CMA AI principles, Germany warns of natural gas terminal attacks

Microsoft leaks terabytes of internal data

Researchers at Wiz shared research with TechCrunch, showing that Microsoft AI researchers exposed sensitive data in a storage bucket of AI training data on GitHub. The researchers intended to share image recognition models. However, misconfigured permissions granted access to 38 terabytes of data, including private keys, passwords, and over 30,000 internal Teams messages. Microsoft initially published this bucket in 2020. Because the bucket granted “full control,” a savvy user could potentially delete or add content to the dataset. Wiz researchers notified Microsoft on June 22nd and Microsoft revoked the token causing the issue on June 24th. The company said this did not expose any customer data. 


UK CMA outlines principles for AI regulation

The Competition and Markets Authority published seven principles to both guide future AI regulations and help companies responsibly develop AI. These apply to so-called foundation models, targeted at LLMs used to base generative AI use cases. The principles include ensuring developers using these models are responsible for output given to customers, and broad access to tech needed to train AI systems. It also prioritized offering a diversity of business models for foundation models, letting businesses divide how to use a model, interoperability for using multiple models simultaneously, avoiding self-preferencing, and risk transparency. The CMA also acknowledged that AI models touch on copyright and data privacy issues, but chose to focus on the competitive landscape, given the “handful of firms” looking to entrench their market position. 


Germany warns of attacks on LNG terminals 

At the Baden-Württemberg Cybersecurity Forum, Germany’s Federal Intelligence Service head, Bruno Kahl, warned that liquefied natural gas could become targets for state-sponsored actors. Germany chartered these terminals to lessen its dependence on Russian pipelines. While Kahl presented Russia and China as the country’s biggest cybersecurity threats, he cautioned that smaller states could have an outsized impact with targeted cyber operations. While Germany saw several attacks impacting oil port terminals last year, officials told The Record these appeared “not coordinated” with state-sponsored actors. 

(The Record)

Cryptojacking operation moves away from EC2

Amazon Web Services remain a popular target for cryptojacking attacks. Previously these targeted EC2 instances. However new security controls that require approval for added resources have seen threat actors shift tactics. Researchers at Sysdig published details on an operation dubbed AMBERSQUID, which targets less popular services like AWS Amplify, AWS Fargate, and AWS Sagemaker. Security policies can overlook these lesser-used services, making them prime targets. Researchers believe AMBERSQUID operates out of Indonesia. They recommend that if organizations cannot expand threat detection into these services, they should focus on higher level logging to detect attackers as early as possible. 

(The Register)

Thanks to our sponsor, Hyperproof

Imagine. You have an audit coming up, but instead of the usual rush, you actually feel prepared. You’ve collected your evidence. You can see which risks have been mitigated. And best of all, you don’t have to send out any last-minute emails to other teams begging them for that one screenshot. Sounds like a dream, right? With Hyperproof’s risk and compliance platform, this could be your reality. Get a demo at

Google changes code submission rules for Android 

While most code in the Android Open Source Project, or AOSP, is licensed under the permissive Apache 2.0 license, Google generally develops most of the code in private, with Quarterly Platform Releases to introduce new features and APIs. Journalist Mishaal Rahman noted that Google changed its rules for external code contributions to AOSP. These submissions now require the approval of two internal Google reviewers before the code can be submitted to AOSP. Google said it hopes this change will improve AOSP’s software supply chain. Most external AOSP submissions come as bug fixes or security patches. 

(Mishaal Rahman)

White House seeks to make sense of cyber regulations

In recent weeks, the White House began an efforts to create a framework for critical infrastructure operators. This would standardize compliance for cyber regulations, allowing for a single set of standards to apply across domains for a company. This would give a single set of rules for breach disclosures and standardize formats for submitting information. This effort of harmonizing regulations comes as part of the National Cybersecurity Strategy Implementation Plan, being led by the Office of the National Cyber Director and Office of Management and Budget. It’s anticipated this effort will take several years. 


California’s DELETE Act goes to the governor 

California’s legislature passed the DELETE Act. This bill requires the California Privacy Protection Agency to create a website where citizens can see registered data brokers in the state and delete personal data. Once a citizen in the state requests deletion, the bill prohibits brokers from selling or sharing any newly collected information. The site would go online by 2026 under the bill. The DELETE Act now goes to Governor Gavin Newsom for signature. Current law gives California citizens the right to request data brokers delete their data, but it requires contacting them individually. The DELETE Act creates a centralized way to request deletion and enforcement for violations. 

(The Register)

Google promises a decade of Chromebook updates

Google said it will extend security updates on mobile computers running ChromeOS. Devices released since 2021 and onwards will receive 10-years of updates from the date of platform release, delivered every 4 weeks. Users will older devices can also enroll to receive 10-years of updates from platform release, but it won’t be automatic. Fleet deployments of older devices will need admins to enroll them. Google also said that devices outside of the 10-year update cycle will still be protected by native ChromeOS security features like Verified Boot. 

(Security Week)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.