0:00

Cybersecurity Today is brought to you by

0:02

the generous support of our sponsor, Boseron

0:04

Security. You can get their

0:07

2024 State of Cybersecurity Awareness Report

0:09

at boseronsecurity.com, and there's a link

0:11

you can follow in the show

0:13

notes. Microsoft

0:17

faces heat in Congress, and

0:20

alleged cyber crook is arrested, and more.

0:23

Welcome to Cybersecurity Today. It's Monday,

0:25

June 17, 2024. I'm Howard Solomon,

0:30

contributing reporter on

0:32

cybersecurity for technewsday.com.

0:38

Law enforcement agencies in the

0:40

U.S., Germany, the Netherlands, and

0:42

Iceland shot servers last

0:45

week used by the Islamic State

0:47

for terrorist communications and propaganda. In

0:50

addition, police in Spain arrested

0:53

what they say are nine

0:55

radicalized persons. Separately,

0:58

there are news reports that police

1:00

in Spain arrested an alleged member

1:02

of the Scattered Spider Cybercrime Group.

1:05

Security reporter Brian Krebs says

1:08

the suspect is a 22-year-old

1:10

man from the UK. This

1:12

follows the arrest in January

1:15

of another alleged Scattered Spider

1:17

gang member in Florida. A

1:19

favored tactic of this gang is tricking

1:22

targets into giving up information that allows

1:24

the crooks to take over their smartphones

1:26

in what's known as a SIM swapping

1:29

attack. With smartphone control,

1:31

the crooks can access corporate

1:33

IT networks. Attention

1:36

owners or administrators of ASUS

1:39

routers. According to Security

1:41

Affairs, ASUS has issued

1:43

patches for several of its Zen

1:45

Wi-Fi and RT routers. The

1:48

patches close on authentication vulnerability.

1:53

Blackbaud, a U.S. company that

1:55

sells data management software for

1:58

nonprofits, will have to pay California. $6.7

2:02

million for making misleading public statements about

2:04

a 2020 data breach. This

2:07

is part of a settlement with a state that still

2:10

has to be approved by a court. The

2:12

agreement comes after the U.S. Federal

2:15

Trade Commission finalized an order against

2:17

Blackbaud forbidding the company

2:19

from misrepresenting its data security

2:21

and data retention policies, as

2:24

well as forcing the company

2:26

to develop comprehensive information security

2:29

programs. Vermont's

2:31

legislature plans to meet today

2:33

to override Governor Phil Scott's

2:36

veto of a proposed state

2:38

privacy law. According to

2:40

Security Week, the governor said the proposed

2:42

law would make the state hostile to

2:44

businesses. The bill,

2:47

passed by a wide margin

2:49

by the legislature, would prohibit

2:51

firms from selling social security

2:53

driver's license numbers, financial information,

2:55

and health data. The

2:59

UK Information Commissioner's office says

3:01

it is pleased NEDA has

3:04

paused its plan to use

3:06

publicly available Facebook and Instagram

3:08

posts in Europe to train

3:10

its generative AI system. An

3:13

ICO official said that to get the most

3:15

out of generative AI, it's

3:18

crucial that the public trust that their

3:20

privacy rights will be respected. However,

3:23

TechCrunch notes that NEDA continues in

3:25

the U.S. and other countries to

3:28

use Facebook and Instagram posts to

3:30

train its AI. Last

3:33

week, the Canadian Press published an article

3:35

on how you can ask NEDA not

3:37

to use your data for AI training.

3:40

One problem, applicants have

3:43

to prove that their data is being

3:45

used by the company for AI training.

3:49

Tomorrow's launch of the Windows

3:51

Co-Pilot Plus PCs won't include

3:53

the full use of the

3:56

controversial Recall tool. Recall,

3:59

which takes snapshots of users'

4:01

screens every few seconds to help them

4:03

search and recall where they've been online

4:05

has been branded a security and privacy

4:08

risk by many experts. Last

4:11

week, Microsoft bowed to pressure and

4:13

said it would tighten protection of

4:15

recall data stored on users' computers.

4:18

It was still supposed to

4:20

be broadly available for use

4:22

on copilot PCs in preview

4:24

mode starting Tuesday. However,

4:27

at the end of last week,

4:29

Microsoft said recall will now be

4:31

limited to those in the Windows

4:33

Insider program. At

4:35

some point, the preview will get

4:37

general availability. Copilot

4:40

Plus PCs have a special

4:42

Snapdragon X processor for running

4:44

AI-related photo and video editing

4:47

jobs. Speaking

4:50

of Microsoft, President Brad Smith got

4:52

a skeptical response from some members

4:55

of a House of Representatives committee

4:57

when he testified last Thursday. "'Every

5:00

time there's anything remotely close to

5:02

or requests for data from the government

5:05

of China, I always ensure we say

5:07

no,' Smith testified." According

5:10

to Cyberscoop, Florida Representative

5:12

Carlos Jimenez wondered how it is

5:14

that Microsoft doesn't have to comply

5:16

with a Chinese law. "'For

5:19

some reason, I just don't trust a word

5:21

you're saying to me,' Jimenez told

5:23

Brad Smith. "'You have a

5:26

cozy relationship in China. I can't believe that

5:28

they're going to say, well, okay, no problem

5:30

for you at Microsoft. You don't have to

5:32

comply with our law, but

5:34

everybody else does.'" In

5:37

his opening statement, Smith admitted Microsoft

5:39

can do better on cybersecurity,

5:41

saying the company is putting more

5:44

resources into making its products more secure.

5:47

That includes accepting and working

5:49

on all recent recommendations by

5:51

the U.S. Cybersecurity Safety Review

5:54

Board on tightening companies' security.

5:57

Those recommendations came in a report on the

5:59

hack by China last year

6:01

of Microsoft Exchange Online.

6:04

However, Representative Bernie Thompson

6:07

of Mississippi said he's

6:09

still unsatisfied with Microsoft's explanation

6:11

of how a stolen digital

6:13

key for the consumer version

6:16

of Exchange Online worked

6:18

also on enterprise accounts. To

6:22

this day, we still don't know how the

6:24

threat actor accessed the signing key, said.

6:28

Microsoft Smith also complained about

6:30

cyber attacks in general from

6:32

China, North Korea and Russia

6:35

and warned they might work more

6:37

closely together in cyberspace. Nation

6:40

state attackers too often attack

6:42

without meaningful consequences, he said.

6:45

Which brings me to the negotiations at

6:48

the United Nations on a cybercrime treaty.

6:51

The final session is scheduled to start July

6:53

29th in New York. According

6:56

to the Electronic Frontier Foundation,

6:58

the nearly final version leaves

7:01

the possibility open of criminalizing

7:03

the work of security researchers, whistleblowers

7:06

and reporters who look for holes

7:08

in applications. The foundation

7:10

says the treaty should make it

7:13

clear that investigative activity must have

7:15

criminal intent to harm, steal data

7:17

or defraud people. Another

7:19

worry is that a clause that

7:22

countries have agreed on could allow

7:24

governments to compel any individual with

7:26

knowledge of computer systems to provide

7:28

any necessary information for conducting searches

7:31

and seizures of computer systems. Listeners

7:34

can contact their national governments to

7:37

ask about their country's position on

7:39

the negotiations. That's

7:42

it for now. Links to

7:44

details about news mentioned in this podcast

7:46

episode are in the text version at

7:49

technewsday.com. Follow

7:52

cybersecurity today on Apple Podcasts, Spotify

7:54

or add us to your flash

7:57

briefing on your smart speaker. Thanks

8:00

for listening. I'm Howard

8:02

Solomon.