Gemini AI privacy, AI Risk Repository, Russian phishing

Subscribe to Cyber Security Headlines podcast

Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.

In today’s cybersecurity news…

Google details privacy commitments with Gemini AI

Google announced new hardware and Gemini AI features this week. Many of these AI tools will feature local offline-only processing using its smaller Gemini Nano model, including Smart keyboard replies, Call Notes, scam detection, and Summarization features. But for some features, tasks will handoff to Google’s cloud infrastructure. The company said in these cases it will not use any third-party AI providers, process all sensitive data in a secure cloud enclave, and provide user control and transparency for any chats and app responses sent to the cloud. Google plans to publish a white paper with technical details on its cloud AI end-to-end security soon.?

(Bleeping Computer)

MIT releases AI Risk Repository

We’ve covered numerous academic studies looking at the potential risks around emerging AI technologies. But this new AI Risk Repository marks an attempt to “rigorously curate, analyze, and extract AI risk frameworks into a publicly accessible, comprehensive, extensible, and categorized risk database.” At its highest level, it focuses on a Causal Taxonomy of AI Risk, based on originating entity, either AI or Human, intentionality, and timing. From there, it further sorts risks across different domains. At launch, it contains over 700 unique risks, based on over 3,000 real-world incidents that caused harm or came close to it. The researchers hope this can be useful to organizations deploying AI tools, and create a further academic framework to evaluate future risks. We’ve got a link to the repository in our show notes.?

(VentureBeat, AI Risk Repository)

Russian spies using highly targeted phishing

The Washington Post highlighted new research from Citizen Lab and Access Now, showing that Russia’s FSB and other intelligence services began campaigns to send individually crafted phishing emails to targets, utilizing their deep corpus of individuals and organizations to make them highly effective. These targeted the Russian rights organization First Department, the news organization Proekt Media, former US ambassador to Ukraine Steven Pifer, and the campaign of former president Donald Trump. The researchers found two distinct groups, ColdRiver with ties to Russia’s FSB, and ColdWastrel. Citizen Lab shared technical details with email providers in the hopes of blocking future attacks.?

(WaPo)

Deepfake webcam software goes viral

If you checked out GitHub’s trending repositories lately, and who doesn’t, you might have seen Deep-Live-Cam. It rose to number one this week and as of this writing sits at number 5. In development since late 2023, the software allows someone to use a single photo and apply it to a live webcam feed to create a deepfake video image. Deep-Live-Cam uses the pre-trained “inswapper” model for the face swap, trained on millions of images to approximate how a 2D image would look from different angles, with a separate GFPGAN model improving the output quality. It includes optimized installs for GPU acceleration on Nvidia hardware and Apple Silicon. Just a reminder to establish code words with family members if you haven’t already.?

(Ars Technica, Deep-Live-Cam)

Thanks to today’s episode sponsor, ThreatLocker

AutoCanada hit by cyberattack

The rough year for North American car dealerships continues. AutoCanada operates 84 dealerships across Canada and the US. It confirmed threat actors accessed its internal IT systems over the weekend. It’s not clear if the attack exfiltrated any data, but it did disrupt network operations. No ransomware group has taken credit for the attack yet. This comes after AutoCanada was among the many dealerships hit by the CDK Global IT outage earlier this summer. The company only completed its full recovery and validation from that incident at the end of July.?

(Bleeping Computer)

Troy Hunt delves deep on NPD breach

We reported yesterday on the publication of a massive trove of information from the data aggregator National Public Data. Security researcher Troy Hunt published a blog post looking at what got published. Hunt was skeptical of the size of the leak of 2.9 billion people with social security numbers, given that the number greatly exceeds the population of the US. He found the data included 2.9 billion rows of data with social security numbers and names, but with many duplicates and many deceases people. Reports of the data set also include much more fragmented leaks that did not include SSNs but did include 134 million unique email addresses. Hunt included these emails in the Have I Been Pwned breach notification service but wrote the post to make it clear these leaked emails aren’t directly tied to any social security numbers.?

(Troy Hunt)

India cracks down on spam calls

India’s Telecom Regulatory Authority issued a directive, ordering service providers to block all promotional calls from unregistered senders. This applies to both pre-recorded and computer-generated calls. Violations by service providers can result in being disconnected from telco service for up to two years. Once finding a spammer, service providers must notify other providers within 24 hours and cut off phone lines used for the calls. Local media reports this year found most people in India receiving multiple spam calls a day over the last 12 months. These calls generally are used to ask for fraudulent donations or other social engineering lures.?

(The Record)

Windows 11 turns on BitLocker by default

Windows BitLocker device encryption isn’t new, it was introduced with Windows Vista. But up until now, users and admins opted into BitLocker. That changes with Windows 11 24H2. Clean installs of the OS will now enable BitLocker encryption by default on first sign-in or setup, although devices upgrading to that OS won’t be automatically enrolled. Users can also choose to turn off device encryption after setup. Recovery keys will back up to a Microsoft account or Entra ID. Notably, this move will also reduce the hardware requirements for automatic encryption, no longer requiring Hardware Security Test Interface or Modern Standby.

(The Verge)