Google Cloud’s weak passwords, pressure on breach disclosure, Discord cooperating on Pentagon leak
Weak passwords targeted on Google Cloud
According to a report from Google Cloud’s Cybersecurity Action Team, weak passwords represented the root cause of almost half the incidents impacting its clients. This appears to be a rising tide, with Google Cloud’s Chris Porter saying issues caused by software issues and zero-days continues to decrease as a percentage. It’s not all bad passwords, compromised APIs accounted for almost 20% of incidents. Porter also noted that sophisticated nation-state actors appear to mimic cybercrime organization in adopting these tactics. For Porter, increasingly APT’s emphasize the “persistent” part of their acronym, using sustained low-effort approaches like phishing to eventually gain a foothold in a network.?
Potential IT snitches warned about employment stitches
According to Bitdefender’s recent “2023 Cybersecurity Assessment Report,” 42% of IT and security professionals surveys said organizations instructed them to keep a data breach confidential despite knowing it should be reported. This issue seemed more acute in the US, found with 71% of US respondents. About 30% said they complied and did not report a breach. This is especially concerning as US respondents lead the survey with 75% saying they experienced a data breach in the last 12 months. This comes in light of former Uber CSO Joe Sullivan convicted of obstruction last year for covering up a large data breach.?
Discord cooperating with leaked document investigation
Earlier this week, we covered the path that leaked Pentagon documents dealing with the war in Ukraine took before being covered by large press outlets. The publication Bellingcat found they started on a now deleted Discord server, before being republished on another server, then making its way to 4Chan and Telegram groups. Discord confirmed its cooperating with US investigators to look into the leak, which is now under active investigation. Bellingcat’s investigation found the documents could have been leaked as early as January, but Reuters and other outlets have been unable to corroborate this finding.??
(Reuters)
Italy outlines rules for OpenAI
Last month, Italy’s data regulator ordered OpenAI to stop processing local data, suspecting it of breaching GDPR. The regulator now says in order to come into compliance, OpenAI must publish full details of its data processing, adopt strong age gating and verification tech to prevent minors from accessing services, clarify the legal basis it uses for processing local data to train AI, and provide a way for people to exercise rights over personal data potential generated by tools like ChatGPT. This includes provisions like the EU’s right to be forgotten from OpenAI’s datasets. It set a compliance deadline of April 30th for most of these issues, with a plan for age verification needed by May 31st. OpenAI did not respond when asked for comment on this latest ruling from the regulator, but previously said it ““think[s] we are following all privacy laws.”
领英推荐
And now a word from our sponsor, AppOmni
EU sets up ChatGPT task force
When Italy dropped the hammer on OpenAI, it remained an open question how data regulators in the EU would react. Now we have an indication. The European Data Protection Board announced it set up a ChatGPT task force. This body will “foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities.” Reuter’s sources say the body will try to align regulators across the block on policy positions. It will not seek to make rules specifically to target OpenAI. Outside of Italy, regulators in Spain and Germany also announced investigations into OpenAI.?
(Reuters)
Hikvision flaw exposes video data
The surveillance company confirmed an “access control issue” on its Hybrid SAN and cluster storage portfolio could allow an attacker with network access to obtain admin access to these devices and gain access to stored video security data. These devices often run on the open internet. This opens the door to a large attack surface. In its advisory, the company stated it did not find evidence of active exploitation. Security researchers at Redinent reported the flaw in December, with Hikvision issuing a patch on April 10th.?
Cisco to air-gap WebEx
The networking giant announced plans to offer an air-gapped version of its WebEx cloud collaboration system, designed to cater to companies in hight controlled industries, think national security and defense. Cisco will introduce Air-Gapped Trusted Cloud next year. Like other similar services, Cisco will air-gap the servers from public networks, operate them in the US, and monitored with properly cleared local staff. The company claims this will meet US security standards across industries without sacrificing user experience.?
Western Digital attackers say they have customer data
Earlier this month, the storage giant Western Digital confirmed it experienced a “network security incident” that saw data exfiltration across its systems. It remains cagey on specifics of what the attackers actually obtained. Well the attackers aren’t being mum about it. Speaking to TechCrunch one of their representatives said it obtained roughly 10 terabytes of data in the attack. This included customer information. It shared a file it created signed by WD’s certificate and shared executives’ phone numbers. The attackers say they performed the attack for financial gain.?