The IT Privacy and Security Weekly Update goes Atomic for the week ending February 28th., 2023



Daml’ers,

From Rosie the Robot to atomic restores… we’ve got you covered.
RosieTheRobot

This week we walk out of the UK with Signal and break into our bank with something that’s not even ours.

We have good news for those on the witness protection program and a stupid update from LastPass.

We discover that the EU and Canada are packing up to leave the TikTok party and we visit LinkedIn as an attack vector.

We finish as all secure updates should, with an analogy that’s “da bomb”.

Like most things in life, you’ve got to test it out to be sure. So don your goggles, grab your procedures clipboard, and let’s get over to the testing site!

Remember you can click on the graphics near the start and end of every blog post for a link to the podcast of this content. Try it! Click on Rosie



Global: Almost 40% of domestic tasks could be done by robots ‘within a decade’

A revolution in artificial intelligence could slash the amount of time people spend on household chores and caring, with robots able to perform about 39% of domestic tasks within a decade, according to experts.

Tasks such as shopping for groceries were likely to have the most automation, while caring for the young or old were the least likely to be affected by AI, according to a large survey of 65 artificial intelligence (AI) experts in the UK and Japan, who were asked to predict the impact of robots on household chores.

But greater automation could result in a “wholesale onslaught on privacy,” warned one of the report’s authors.

The experts involved in the research, published in the journal Plos One, estimated that only 28% of care work, such as teaching or accompanying a child or caring for an older relative, would be automated.

But they predicted that 60% of the time spent on shopping for groceries would be cut.

However, predictions about robots taking over domestic work “in the next 10 years” have been made for several decades, but the reality of a robot able to put out the bins and pick lego up from the floor has remained elusive

So what’s the upshot for you? This story has probably been echoed since the 1960s in one form or another… yes George (Jetson), we are still waiting.


UK/US: I Broke Into a Bank Account With an AI-Generated Voice’

On Wednesday, I phoned my bank’s automated service line. To start, the bank asked me to say in my own words why I was calling.

Rather than speak out loud, I clicked a file on my nearby laptop to play a sound clip: “check my balance,” my voice said.

But this wasn’t actually my voice. It was a synthetic clone I had made using readily available artificial intelligence technology. “Okay,” the bank replied.

It then asked me to enter or say my date of birth as the first piece of authentication.

After typing that in, the bank said “please say, ‘my voice is my password.’” Again, I played a sound file from my computer. “My voice is my password,” the voice said.

The bank’s security system spent a few seconds authenticating the voice. “Thank you,” the bank said. I was in.

I couldn’t believe it – it had worked.

I used an AI-powered replica of a voice to break into a bank account. After that, I had access to the account information, including balances and a list of recent transactions and transfers.

Banks across the U.S. and Europe use this sort of voice verification to let customers log into their accounts over the phone.

Some banks tout voice identification as equivalent to a fingerprint, a secure and convenient way for users to interact with their bank.

But this experiment shatters the idea that voice-based biometric security provides foolproof protection in a world where anyone can now generate synthetic voices for cheap or sometimes at no cost.

I used a free voice creation service from ElevenLabs, an AI voice company.

Now, abuse of AI voices can extend to fraud and hacking.

Some experts I spoke to after doing this experiment are now calling for banks to ditch voice authentication altogether, although real-world abuse at this time could be rare.

A Lloyds Bank spokesperson said in a statement that “Voice ID is an optional security measure, however, we are confident that it provides higher levels of security than traditional knowledge-based authentication methods, and that our layered approach to security and fraud prevention continues to provide the right level of protection for customers’ accounts, while still making them easy to access when needed.”

The Consumer Financial Protection Bureau, one of the U.S. agencies that regulate the financial industry, said: "The CFPB is concerned with data security, and companies are on notice that they’ll be held accountable for shoddy practices.

We expect that any firm follows the law, regardless of the technology used."

So what’s the upshot for you? This feels like “they’ll put up a crosswalk after enough people get hit by traffic at that intersection…” Taking the time to establish “shoddy practices” may be leaving it a little too late.


UK/US: Signal Would ‘Walk’ From UK if Online Safety Bill Undermined Encryption

The encrypted-messaging app Signal has said it would stop providing services in the UK if a new law undermined encryption.

If forced to weaken the privacy of its messaging system under the Online Safety Bill, the organization “would absolutely, 100% walk” Signal president Meredith Whittaker told the BBC.

The government said its proposal was not “a ban on end-to-end encryption”.

The bill, introduced by Boris Johnson, is currently going through Parliament.

Critics say companies could be required by Ofcom to scan messages on encrypted apps for child sexual abuse material or terrorism content under the new law.

This has worried firms whose business is enabling private, secure communication.

So what’s the upshot for you? We support the reaction of Signal.

Taking privacy from the standpoint of “we’re not worried we don’t have anything to hide” is like inviting the local gossip club into your bedroom at 8 am on your day off.

They’re probably going to see things you’d wished they hadn’t, and the problems really begin when they start sharing what they saw.


US: A DNA Testing Company Forgot About 2.1 Million People’s Data. Then It Leaked.

A prominent DNA testing firm has settled a pair of lawsuits with the attorney generals of Pennsylvania and Ohio after a 2021 episode that saw cybercriminals steal data on 2.1 million people, including the social security numbers of 45,000 customers from both states.

The company said it didn’t even know it had the data that was stolen because it was stored in an old database.

Evidence of the hacking episode first surfaced in May of 2021, when DDC’s managed service provider reached out via automated notification to inform the firm of unusual activity on its network.

DDC didn’t do much with that information. Instead, it waited several months before the MSP reached out yet again—this time to inform it that there was now evidence of Cobalt Strike on its network.

Cobalt Strike is a popular penetration testing tool that has frequently been co-opted by criminals to further penetrate already compromised networks.

Unexpectedly finding it on your network is never a good sign.

By the time DDC officially responded to its MSP’s warnings, a hacker had managed to steal data connected to 2.1 million people who had been genetically tested in the U.S., including the social security numbers of 45,000 customers from both Ohio and Pennsylvania.

So what’s the upshot for you? DCC will be forced to enact some basic protections: including hiring a professional CISO to oversee its information security program, conducting occasional security risk assessments of its network, maintaining an up-to-date asset inventory, designing and implementing “reasonable security measures” to protect its data, and developing a plan to respond to “suspicious network activity within its network within reasonable means."

In essence, all things that companies should do anyway.


US: US Marshals Service Suffers ‘Major’ Security Breach That Compromises Sensitive Information

According to a spokesperson for the United States Marshals Service (USMS), the agency was hit with a ransomware attack last week that compromised sensitive information.

In a statement Monday, U.S. Marshals Service spokesperson Drew Wade acknowledged the breach, telling NBC News: “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees.”

So what’s the upshot for you? …while the breach did contain rather a lot of sensitive information pertaining to the subjects of Marshals Service investigations, the marshalls wished to calm nerves by stating that the heist did not include information from the witness protection program.


Global: After months of complete silence: LastPass Says Home Computer of DevOps Engineer Was Hacked

Password management software firm LastPass says one of its DevOps engineers had a personal home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources.

LastPass on Monday fessed up a “second attack” where an unnamed threat actor combined data stolen from an August breach with information available from a third-party data breach, and a vulnerability in a third-party media software package to launch a coordinated attack.

LastPass worked with incident response experts at Mandiant to perform forensics and found that a DevOps engineer’s home computer was targeted to get around security mitigations.

The attackers exploited a remote code execution vulnerability in a third-party media software package and planted keylogger malware on the employee’s personal computer.

“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault,” the company said.

“The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups,” LastPass confirmed.

LastPass originally disclosed the breach in August 2022 and warned that “some source code and technical information were stolen.”

SecurityWeek adds: “In January 2023, the company said the breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”

So what’s the upshot for you? Still using LastPass? Run and do this now. Export your vault from LastPass and import it into another password manager and then start that long exercise of changing all your passwords.

Start with the most critical first (generally banks) and work your way through them all.

At least one Class Action lawsuit was started back in January, so if you were affected you can expect an email at some point over the next few years.


EU/CA: And now the EU and Canada

Staff working at the European Commission have been ordered to remove the TikTok app from their phones and corporate devices.

The commission said it was implementing the measure to “protect data and increase cybersecurity.” The EU’s executive arm made the decision for security reasons.

“The measure aims to protect the Commission against cybersecurity threats and actions which may be exploited for cyberattacks against the corporate environment of the commission.”

The ban also means that European Commission staff cannot use TikTok on personal devices that have official apps installed.

The commission says it has around 32,000 permanent and contract employees.

They must remove the app as soon as possible and no later than March 15.

And Now Canada has announced it is banning TikTok from all government-issued mobile devices, reflecting widening worries from Western officials over the Chinese-owned video-sharing app.

Prime Minister Justin Trudeau said it might be a first step to further action or that it might be it. “I suspect that as the government takes the significant step of telling all federal employees that they can no longer use TikTok on their work phones many Canadians from business to private individuals will reflect on the security of their own data and perhaps make choices,” Trudeau said.

These actions follow similar moves in the U.S., where more than half of the states and Congress have banned TikTok from official government devices.

So what’s the upshot for you? TikTok, owned by Chinese company ByteDance, has faced allegations that it harvests users’ data and hands it to the Chinese government.


Global: LinkedIn Scammers Step Up Sophistication of Online Attacks

LinkedIn has been hit by a rise in sophisticated recruitment scams, as fraudsters seek to take advantage of the trend towards remote working and widespread lay-offs across the tech sector.

Jobseekers on the world’s largest professional network are being defrauded out of money after taking part in fake recruitment processes set up by scammers who pose as employers, before obtaining personal and financial information.

“There’s certainly an increase in the sophistication of the attacks and the cleverness,” Oscar Rodriguez, vice-president of product management at LinkedIn told the Financial Times "We see websites being set up, we see phone numbers with a seemingly professional operator picking up the phone and answering on the company’s behalf.

We see a move to more sophisticated deception," he added.

The warning comes as the Microsoft-owned social media company said it has sought to block tens of millions of fake accounts in recent months, while US regulators warn of an increase in jobs-related cons.

Last month, cyber security company Zscaler revealed a scam that targeted job seekers and a dozen US companies, where fraudsters approached people through LinkedIn’s direct messaging feature InMail.

Scammers identified businesses that were already hiring, including enterprise software company Zuora, software developer Intellectsoft, and Zscaler itself.

They then created “lookalike” websites with similar job ads and, via LinkedIn’s InMail feature, invited jobseekers to enter personal information into the websites, before conducting remote interviews via Skype.

So what’s the upshot for you? These days you might want to pop a few questions back to the recruiter requesting your resume on LinkedIn, just to validate that they are real.

Most Resumes / CVs include an address, email, various websites, and full name, a perfect sampling of personally identifiable information (PII) for a fraudster to launch a scam with.


Global: No One Knows If Decades-Old Backups or Nukes Would Actually Work

Testing is critical to your understanding of whether something actually works.

Have you been doing backups of your data? How often do you test recovery? That’s where you find the surprises.

That’s also where the comparison to weapons of mass destruction ends, apart from the explosion of realization when you can’t recover a directory of cherished artifacts.

Atomic weapons are complex, sensitive, and often pretty old.

With testing banned, countries have to rely on good simulations to trust their weapons work.

No nation has detonated a nuclear weapon in conflict since 1945.

Countries including the US, Russia, and China wield hefty nuclear arsenals and regularly squabble over how to manage them – only last week, Russia suspended participation in its nuclear arms reduction treaty with the US.

Thankfully, nuclear warheads mostly just sit there, motionless and silent, in their silos and underground storage caverns.

If someone actually tried to use one, though, would it definitely go off as intended?

“Nobody really knows,” says Alex Wellerstein, a nuclear weapons historian at the Stevens Institute of Technology.

US officials said between 20 and 60 percent of Russian missiles fired at Ukraine were failing, either in terms of not launching or not hitting the intended target.

Modern thermonuclear devices are complex bits of machinery designed to initiate a specific explosive sequence, sometimes called a fission-fusion-fission reaction, which releases a massive amount of energy.

Some warheads designed decades ago are still part of nuclear arsenals.

Over time, their parts must be carefully checked for degradation and refurbished or replaced. But certain components can become unavailable due to changes in manufacturing capabilities.

So what’s the upshot for you? Returning to your backups.

If you are backing up to the cloud, make sure you have noted your account and password and have 2fa in place. Double-check that encryption is being used. Test that you can recover what you are backing up. And make sure that bill is being paid.

Atomic Backup

If you are backing up to an external disk, test both recovery and backups periodically. Disks die. It’s cheap enough to back up to a couple of devices

Yes, it’s another chore, but testing is the only way to confirm a recovery works and like those warheads, you don’t want to be around if it doesn’t.


Our Quote of the week: “It always seems impossible until it’s done.” – Nelson Mandela


That’s it for this week. Stay safe, stay secure, recover your backups, and see you in se7en.



Hello and thank you for sending me an email, but I have to say, unfortunately, I did not understand what you meant. If possible, make it a little simpler so that non-professionals can understand it. Please tell me in advance. Thank you

در تاریخ چهارشنبه ۱ مارس ۲۰۲۳،‏ ۳:۵۱ Rich via Daml Developers Community <notifications@daml.discoursemail.com> نوشت: