December 2023 Week 1 - Innspark | Enterprise Cybersecurity Solutions

Digital Car Keys are coming. How secure are they?

There are questions on what kind of technology will they use? Near-field communication (NFC)? Ultra wideband (UWB)? Bluetooth? How do we ensure it’s safe from hackers? And what happens when your phone runs out of batteries? It seems the keys would work even if the phone runs out of battery charge. Industry standards are being chartered out for this mission. One standard coming up is the Car Connectivity Consortium (CCC), which includes most major car companies, as well as Apple, Samsung, and Xiaomi; and FiRa Consortium, a nonprofit that supports ultra wideband and includes Apple, Google, Cisco, Samsung, Qualcomm, and others as members.

A few challenges are strong on this arena. Creating a digital key technology inside the phone, which is accurate and secure, is actually not possible without integrating the device OEM. We will need to provision for extra hardware in the phone, provide access to the secure element, ensure access to special sensors in the phone, and so on. 

Source: https://www.theverge.com/23970875/digital-car-key-iphone-unlock-start-ccc-standard

Did Google Drive users lose their files?

This is an interesting, yet complicated high profile issue. What really complicates the issue in terms of solving the problem and trying to parse through user complaints is that Drive for Desktop has two totally different modes of operation that could be causing issues. One is the traditional “mirroring” mode that works like Dropbox, where files on your hard drive get uploaded to the cloud, downloaded to all your other devices, and stay on your computer. In recent years the defaults switched to “File Stream,” where most files aren’t ever actually stored on your computer. Users are expected to have an always-on Internet connection and, when trying to open a cloud file link, the actual data is quickly streamed to their device so applications can access it. File Stream keeps a cache of “recently and frequently used files,” but other than those, Drive will actively remove files from your computer.

That’s all to say that, if Google lost data, and you were in File Stream mode, there’s a good chance you don’t actually have your files anymore. Dropbox and Drive mirror mode keep local copies of the file on your computer, but File Stream often does not. Is File Stream deleting or moving files without uploading them first? This the catch question.

Source: https://arstechnica.com/gadgets/2023/11/google-drive-is-investigating-sync-issues-as-users-complain-of-lost-files/

Amazon’s AI engine ‘Q’ learns from 17 years of AWS experience

Q is a tailored AI that’s meant to tap into subscribing company’s systems to access pertinent information and draft responses to workers’ queries. Say a worker wants to know which parts of the business customers have been complaining most about lately. If the chatbot has access to customer relations systems, the bot should be able to give a rundown of which complaints have been most reported as of late. The bot could fill out support tickets or summarise documents.

Amazon also claimed its bot would be able to understand the data permissions for workers inside a company. For example, Tim from HR won’t have access to customers’ financial data from the accounting department. Like other similar enterprise AI, the bot can connect and gather data from other external apps like Slack.

The bot is set to compete against Microsoft’s Windows Copilot and other business-oriented AI like Google Duet AI and OpenAI’s ChatGPT Enterprise. Up until now, Amazon has not revealed any in-house AI meant to directly hit its big tech competitors. 

Source: https://gizmodo.com/amazon-announces-corporate-chatbot-q-1851055654

Indian Banking fraud on the rise using Social Engineering tricks

Microsoft has observed ongoing activity from mobile banking trojan campaigns targeting users in India with social media messages designed to steal users’ information for financial fraud. Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organisations, such as banks, government services, and utilities. Once installed, these fraudulent apps exfiltrate various types of sensitive information from users, which can include personal information, banking details, payment card information, account credentials, and more.

Spoofing and impersonating legitimate banks, financial institutions, and other official services is a common social engineering tactic for information-stealing malware. Importantly, legitimate banks themselves are not affected by these attacks directly, and the existence of these attacks is not related to legitimate banks’ own authentic mobile banking apps and security posture. That said, cybercriminals often target customers of large financial institutions by masquerading as a legitimate entity. This threat highlights the need for customers to install applications only from official app stores, and to be wary of false lures as we see in these instances.

Source: https://www.microsoft.com/en-us/security/blog/2023/11/20/social-engineering-attacks-lure-indian-users-to-install-android-banking-trojans/

Did AI write Articles for Sports Illustrated?

An investigative report published by the science and technology news publication Futurism found Sports Illustrated published articles written by fake authors. These fake authors also had headshots and biographies generated by artificial intelligence, Futurism’s investigation found.

Sports Illustrated is not the only publication dabbling with AI. In January 2023, BuzzFeed’s CEO, Jonah Peretti, announced the website would integrate AI into its content and make it a part of its core business. BuzzFeed has since published AI-written quizzes and travel guides – a practice with which the company is still experimenting.

Such moves by Sports Illustrated and BuzzFeed stoke fears of a rise in dystopian content farms and more trouble in the already embattled, shrinking news media sector. The use of AI is cost-efficient compared to human writers and content creators, arguably offering a potential and tempting solution to the financial troubles in the industry.

Other news organisations such as the New York Times and NBC took a step in the opposite direction, announcing plans to create guardrails for non-human generated content and disinformation as well as protection on articles against being repurposed without credit or context.

Source: https://www.theguardian.com/media/2023/nov/28/sports-illustrated-ai-writers

Meta cracks hard on political advertising. Will that help democracy?

Meta says its generative artificial intelligence (AI) advertising tools cannot be used to power political campaigns anywhere globally, with access blocked for ads targeting specific services and issues.

The social media giant said earlier this month that advertisers will be barred from using generative AI tools in its Ads Manager tool to produce ads for politics, elections, housing, employment, credit, or social issues. Ads related to health, pharmaceuticals, and financial services also are not allowed access to the generative AI features.

The company also unveiled an AI chatbot, called Meta AI, that includes an AI image generator tool called Emu. These images can be rendered and used across Meta’s chat platforms including WhatsApp and Instagram.

Further emphasizing the role of AI, Neary noted that 20% of content on Facebook and Instagram Feeds now are recommended by AI. 

Concerted efforts were made more than a year ago to show more relevant content powered by recommendation engines, rather than content organized around people followed by Meta users. AI also powers better outcomes for marketers, with tools such as Advantage+ suite automating their tasks.

Source: https://www.zdnet.com/article/meta-will-enforce-ban-on-ai-powered-political-ads-in-every-nation-no-exceptions/

Bluetooth is not that safe from cybersecurity angles, new research claims

Multiple Bluetooth chips from major vendors such as Qualcomm, Broadcom, Intel, and Apple are vulnerable to a pair of security flaws that allow a nearby miscreant to impersonate other devices and intercept data.

The weaknesses were identified by Daniele Antonioli, an assistant professor at French graduate school and research center EURECOM’s software and system security group. He detailed the attack vectors by which the flaws could be exploited in a paper titled “BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses.”

The attacks force the creation of weak session keys, which are used when paired Bluetooth devices try to establish a secure communication channel. Weak keys can be easily broken, allowing the eavesdropper to hijack sessions and snoop on victims’ conversations, data, and activities carried out over Bluetooth.

“Our attacks enable device impersonation and machine-in-the-middle across sessions by only compromising one session key,” Antonioli explained in his paper. “The attacks exploit two novel vulnerabilities that we uncover in the Bluetooth standard related to unilateral and repeatable session key derivation.”

Source: https://www.theregister.com/2023/11/30/bluetooth_bluffs_attacks_are_no/

Apple patches two security vulnerabilities on iPhone, iPad, and Mac

The two security flaws affected WebKit, Apple’s open-source browser framework powering Safari. In Apple’s description of the first bug, it said, “Processing web content may disclose sensitive information.” In the second, it wrote, “Processing web content may lead to arbitrary code execution.”

The security patches cover the “iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.”

The odds your devices were affected by either of these are extremely minimal, so there’s no need to panic — but, to be safe, it would be wise to update your Apple gear now. You can update your iPhone or iPad immediately by heading to Settings > General > Software Update and tapping the prompt to initiate it. On Mac, go to System Settings > General > Software Update and do the same. Apple’s fixes arrived in iOS 17.1.2, iPadOS 17.1.2 and macOS Sonoma 14.1.2.

Source: https://www.engadget.com/apple-patches-two-security-vulnerabilities-on-iphone-ipad-and-mac-215854473.html?src=rss

Government of India holds meet to combat cyber frauds in financial sector

Regulatory bodies, bank CEOs, payment aggregators to unite to forge resilient digital defence. This meet happens on the aftermath of UCO Bank’s recent ₹820-crore IMPS glitch. The Finance Ministry convened a crucial meeting on November 28 to discuss issues related to the increasing cybercrimes in the financial sector. 

This meeting assumes significance as it comes at a time when cybercrime, powered by Artificial Intelligence (AI), is taking root around the world with huge implications for the Indian financial sector. There is also growing clamour for far more cogent steps from banks to guard themselves from cyber attacks and related financial frauds.

Several cyberlaw and cybersecurity experts are now making a case for India to enact a dedicated legislation on cybersecurity, or at least introduce specific provisions in law to drive accountability among those at the helm of banks.

Cyberlaw experts feel that banks, especially public sector banks, today need to take number of steps to beef up their cybersecurity preparedness. 

“Right now the law is behind in respect of banks. With so much of cyber attacks by State and non State actors and misuse of AI, Cyber security has to be top most agenda of every Board of every bank”, Pavan Duggal, a Cyberlaw expert, told businessline.

India needs a dedicated legislation on cybersecurity as the current Information Technology Act 2000 is not capable of addressing the issues of cybersecurity, he said.

Source: https://www.thehindubusinessline.com/info-tech/govt-to-hold-meet-to-combat-cyber-frauds-in-financial-sector/article67570070.ece

Government of India takes CERT-In out of Right to Information.

The Centre has used its powers given under sub-section (2) of Section 24 of the RTI Act to exempt CERT-In from the purview of the transparency law. Using those powers, the Centre has included CERT-In at serial number 27 in the Second Schedule of the RTI Act.

The CERT-In comes under the Ministry of Electronics and Information Technology. In March this year, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar had informed Rajya Sabha that the “procedure of inter-departmental consultation” was on to discuss exemption of the CERT-In from the RTI Act.

With inclusion in the Second Schedule of the RTI Act, the CERT-In now joins the list of 26 other intelligence and security organisations, which are already exempted from the purview of the Act. The RTI law empowers the Central Government to amend the Second Schedule by including therein any other intelligence or security organisation established by it or omitting therefrom any organisation already specified therein. The Centre can amend the Second Schedule through a notification in the Official Gazette. 

Source: https://indianexpress.com/article/india/govt-takes-apex-cyber-security-agency-out-of-publics-right-to-know-9041330/

India 10th most breached country worldwide. Time to take Cyber crime seriously.

Taj Hotels, owned by the Tata Group, reportedly fell victim to a significant data breach which allegedly exposed personal information of 1.5 Mn customers. The incident underscores the persistent threat of data breaches in large organisations, prompting a closer examination of cybersecurity measures across industries. According to experts, the surge in cyberattacks on Indian enterprises are driven by reliance on third-party platforms, interconnected ecosystems, lack of security hygiene, among others

In the third quarter of 2023, India emerged as the 10th most breached country worldwide, with a significant count of 3,69,000 leaked accounts, according to cybersecurity firm Surfshark. It was the third consecutive quarter in 2023 when India found a spot in the top countries globally for data breaches, despite the breach rate declining 74% from 1.4 Mn leaked accounts in Q2.

According to cybersecurity experts, large enterprises often rely on complex networks of partnerships, including with third parties. This growing reliance on external relationships adds more risks when it comes to data security and a smart approach is required to manage these risks effectively.

When a company gives third parties access to its internal assets, the security of its data can be influenced by how well these third parties handle security. If a hacker breaches a company within the network of one of these third parties, the data that the compromised company has access to comes at risk, as per them.

Source: https://inc42.com/buzz/decoding-the-taj-hotels-data-breach-and-indias-growing-cybersecurity-battle/

Infosys Unit in USA hit by Cybersecurity event resulting in denial of systems

Indian IT service provider Infosys said on ts U.S. unit, Infosys McCamish Systems, was impacted by a cyber security event, resulting in the non-availability of certain applications and systems in November. The company said it is working with a cyber security company to resolve the issue and that it had launched an investigation to identify the potential impact on systems and data.

https://www.usnews.com/news/technology/articles/2023-11-03/indias-infosys-says-us-unit-hit-by-cyber-security-event

AI needs Government regulation, says Apple CEO Tim Cook

Artificial intelligence might be found all over Apple’s products, but that doesn’t mean the company’s CEO isn’t in favour of regulating the technology. In fact, Tim Cook believes it’s the government’s responsibility to step in before the effects of AI’s latest evolution—generative AI—become catastrophic.

Cook shared his perspective during a conversation with the British pop star Dua Lipa, who runs the interview podcast At Your Service. Between questions about Cook’s career journey, Apple’s environmental and child labour guardrails, and diversity within the executive suite, Lipa asked the CEO for his outlook on what has become a controversial (and occasionally misunderstood) technology.

“What has gathered people’s imagination more recently is generative AI and the use of large language models. I think this is an area that can be life-changing.” Cook said that while generative AI has the potential to be “life-changing in a good way,” like in certain future healthcare settings, it can also be damaging.

“What is needed with this new form of AI, generative AI, is some rules of the road and some regulation around this. I think many governments around the world are now focused on this and focused on how to do it, and we’re trying to help with that. And we’re one of the first ones that say this is needed, that some regulation is needed.”

Source: https://www.extremetech.com/internet/ai-needs-government-regulation-apple-ceo-says

Digital Crackdown: Meta takes down thousands of Chinese fake accounts

The users posed as Americans and sought to spread polarising content about US politics and US-China relations. Among the topics the network posted about were abortion, culture war issues and aid to Ukraine. Meta did not link the profiles to Beijing officials, but it has seen an increase in such networks based in China ahead of the 2024 US elections.

China is now the third-biggest geographical source of such networks, the company said, behind Russia and Iran. The recent takedowns were outlined in a quarterly threat report released on Thursday by the parent company of Facebook, Instagram and WhatsApp. The China-based network included more than 4,700 accounts and used profile pictures and names copied from other users around the world.

The accounts shared and liked each other’s posts, and some of the content appeared to be taken directly from X, formerly Twitter. In some cases the accounts copied and pasted verbatim posts from US politicians – both Republicans and Democrats – including former House Speaker Nancy Pelosi, Michigan Governor Gretchen Whitmer, Florida Governor Ron DeSantis, Reps Matt Gaetz and Jim Jordan, and others.

Source: https://www.bbc.com/news/technology-67560513?at_medium=RSS&at_campaign=KARANGA