Cyber Security Today, June 17, 2024 – Microsoft faces heat in Congress, alleged cybercrook arrested, and more

Share post:

Microsoft faces heat in Congress, an alleged cybercrook arrested, and more.

Welcome to Cyber Security Today. It’s Monday June 17, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.

Cyb er Security Today on Amazon Alexa Cyber Security Today on Google Podcasts Subscribe to Cyber Security Today on Apple Podcasts

Law enforcement agencies in the U.S., Germany, the Netherlands and Iceland shut servers last week used by the Islamic State for terrorist communications and propaganda. In addition police in Spain arrested what they say are nine radicalized persons.

Separately, there are news reports that police in Spain arrested an alleged member of the Scattered Spider cybercrime group. Security reporter Brian Krebs says the suspect is a 22 year-old man from the U.K. This follows the arrest in January of another alleged Scattered Spider gang member in Florida. A favoured tactic of this gang is tricking targets into giving up information that allows the crooks to take over their smartphones in what’s known as a SIM swapping attack. With smartphone control the crooks can access corporate IT networks.

Attention owners or administrators of Asus routers: According to Security Affairs, Asus has issued patches for several of its ZenWiFi and RT routers. They close an authentication vulnerability.

Blackbaud, a U.S. company that sells data management software for nonprofits, will have to pay California US$6.7 million for making misleading public statements about a 2020 data breach. This is part of a settlement with the state that still has to be approved by a court. The agreement comes after the U.S. Federal Trade Commission finalized an order against Blackbaud forbidding the company from misrepresenting its data security and data retention policies, as well as forcing it to develop and comprehensive information security program.

Vermont’s legislature plans to meet today to override Governor Phil Scott’s veto of a proposed state privacy law. According to Security Week, the governor said the proposed law would make the state hostile to businesses. The bill, passed by a wide margin by the legislature, would prohibit firms from selling Social Security numbers, drivers’ licence numbers, financial information and health data.

The U.K. Information Commissioner’s Office says it’s pleased Meta has paused its plan to use publicly-available Facebook and Instagram posts in Europe to train its generative AI system. An ICO official said that to get the most out of generative AI it’s crucial that the public trust their privacy rights will be respected. However, TechCrunch notes that Meta continues in the U.S. and other countries to use Facebook and Instagram posts to train its AI. Last week the Canadian Press published an article on how you can ask Meta not to use your data for AI training. One problem: Applicants have to prove their data is being used by the company for AI training.

Tomorrow’s launch of Windows Copilot+ PCs won’t include the controversial Recall tool. Recall, which takes snapshots of users’ screens every few seconds to help them search and recall where they’ve been online, has been branded a security and privacy risk by many experts. Last week Microsoft bowed to pressure and said it would tighten protection of Recall data stored on users’ computers. It was still supposed to be broadly available for use on Copilot+ PCs in preview mode starting Tuesday. However, at the end of last week Microsoft said Recall will now be limited to those in the Windows Insider Program. At some point the preview will get general availability. Copilot+ PCs have a special Snapdragon X processor for running AI-related photo and video editing jobs.

Speaking of Microsoft, president Brad Smith got a skeptical response from some members of a House of Representatives committee when he testified last Thursday. “Every time there’s anything remotely close to a request” for data from the government of China, “I always ensure we say ‘no’” Smith testified. According to Cyberscoop, Florida Republican Representative Carlos Gimenez wondered how it is that Microsoft doesn’t have to comply with Chinese law, “For some reason I just don’t trust a word you’re saying to me,” Gimenez said “You have a cozy relationship in China. … I can’t believe they’re going to say ‘yeah, OK, no problem, you [at Microsoft] don’t have to comply with our law, but everybody else does.”

In his opening statement Smith admitted Microsoft can do better on cybersecurity, saying the company is putting more resources into making its products more secure. That includes accepting and working on all recent recommendations by the U.S. Cybersecurity Safety Review Board on tightening the company’s security. Those recommendations came in a report on the hack by China last year of Microsoft Exchange Online. However, Representative Bennie Thompson of Mississippi said he is still unsatisfied with Microsoft’s explanation how how a stolen digital key for the consumer version of Exchange Online worked on enterprise accounts. “To this day we still do not know how the threat actor accessed the signing key,” Thompson said.

Smith also complained about cyber attacks in general from China, North Korea and Russia, and warned they might work more closely in cyberspace. Nation-state attackers too often attack without meaningful consequences, he said.

Which brings me to the negotiations at the United Nations on a cybercrime treaty. The final session is scheduled to start July 29th in New York. According to the Electronic Frontier Foundation  the nearly-final version leaves the possibility of criminalizing the work of security researchers, whistleblowers and reporters who look for holes in applications. The foundation says the treaty should make it clear that investigative activity must have criminal intent to harm, steal data or defraud people. Another worry is that a clause that countries have agreed on could allow governments to compel “any individual” with knowledge of computer systems to provide any “necessary information” for conducting searches and seizures of computer systems. Contact your national government to ask about the country’s position on the negotiations.

Follow Cyber Security Today on Apple Podcasts, Spotify or add us to your Flash Briefing on your smart speaker.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Larry Ellison’s “bizarre announcement.” Hashtag Trending for Thursday, September 12, 2024

Samsung Electronics plans global job cuts of up to 30% in some divisions, Wireless data usage soars as...

Apple’s delayed rollout disappoints: Hashtag Trending for Wednesday, Sept 11, 2024

Apple's Gradual AI Rollout Disappoints, Japan to Build World's First Zeta-Class Supercomputer, 1,000 Times Faster Than Current Leaders,...

Will Crowdstrike “dodge the bullet?” Cyber Security Today, Wednesday, September 11, 2024

Microsoft Office 2024 to Disable ActiveX Controls by Default, Major Data Breach Affects 1.7 Million Credit Card Owners,...

Payment gateway breach exposes 1.7 million credit card holders

Slim CD, a payment gateway provider, recently disclosed a significant data breach that impacted nearly 1.7 million credit...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways