US policing AI use for civil rights violations, Bill proposes security testing centers for government tech, Edge leaking browsing data to Bing

US policing AI use for civil rights violations, Bill proposes security testing centers for government tech, Edge leaking browsing data to Bing

US policing use of AI for civil rights violations

On Tuesday, officials from several US government agencies warned financial firms and others that use of artificial intelligence (AI) can heighten the risk of bias and civil rights violations signaling they are policing marketplaces for such discrimination. For example, financial firms are legally required to explain adverse credit decisions. The agencies said, if companies don’t understand the reasons for the decisions their AI is making, they cannot legally use it. FTC chair, Lina Khan, said, “Claims of innovation must not be cover for lawbreaking.”?

(Reuters)

Bill proposes new security testing centers for critical government tech

On Tuesday, US lawmakers introduced the Critical Technology Security Centers Act of 2023. The legislation emerged from the work of the Cyberspace Solarium Commission and would spur the Department of Homeland Security (DHS) to create two offices dedicated to evaluating and testing the security of critical technology used by the federal government. The centers would focus on securing information and communications technology as well as programmable data logic controllers (PLCs) and supervisory control and data acquisition servers (SCADA) both of which have become frequent targets of nation state threat actors. Most current test capabilities are distributed across independent, commercial, and government organizations.

(The Record)

Microsoft Edge is leaking user browsing data to Bing

Last week, Reddit users first spotted the privacy issues with Microsoft Edge, noticing that the latest version of the browser sends a request to bingapis.com with the full URL of nearly every page a user visits. The behavior appears to be tied to the release of Edge’s content creator feature designed to allow users to follow their favorite creators on YouTube and across the web. Users who disable this feature can avoid their URLs from being sent to Bing. Microsoft said it’s currently investigating the reports.

(The Verge)

OpenAI offers new privacy options for ChatGPT

OpenAI appears to be trying to make people feel more comfortable using their chatbot and deciding how their data is being used. The startup said Tuesday that ChatGPT users can now turn off their chat histories by clicking a toggle switch in their account settings. When people do this, their conversations will no longer be saved in ChatGPT’s history sidebar (located on the left side of the webpage), and OpenAI won’t use the data to train their models. The company clarified that ChatGPT will still store data (including conversations where users have turned off the chat history) for 30 days before deleting it in order to spot abusive behavior,?

(Bloomberg)

And now a word from our sponsor, Tines

No alt text provided for this image

New bug can lead to massive DDoS amplification attacks

Researchers at BitSight and Curesec have uncovered a new reflective Denial-of-Service (DoS) amplification vulnerability (CVE-2023-29552) in the Service Location Protocol (SLP) that allows threat actors to launch denial-of-service attacks with 2,200X amplification. Service Location Protocol (SLP) was created in 1997 for use in local area networks (LAN) to enable device availability communication over port 427. SLP was never designed to be exposed to the public internet but the researchers say that over 2,000 organizations worldwide are exposing roughly 54,000 vulnerable SLP instances. Vulnerable services include VMWare ESXi Hypervisors, Konica Minolta printers, IBM Integrated Management Modules, and Planex Routers.

(Bleeping Computer)

VMware fixes zero-day exploits used at Pwn2Own

On Tuesday, VMware released security updates to address two critical zero-day vulnerabilities that could be used to exploit the company’s Workstation and Fusion software hypervisors. The first vulnerability (CVE-2023-20869) is a stack-based buffer-overflow bug in Bluetooth device-sharing functionality and the second (CVE-2023-20870) allows information disclosure while sharing host Bluetooth devices with the VM. An exploit chain exploiting the flaws was demoed by STAR Labs researchers on day 2 of the Pwn2Own Vancouver 2023 hacking contest last month. Vendors have 90 days to patch zero-day bugs disclosed during Pwn2Own before the technical details are released.

(Bleeping Computer)

Google adds new risk assessment tool for Chrome extensions

Google has released a new tool for Google Workspace admins and security teams to easily assess the risk different Chrome extensions may present to their users. The feature, called Spin.AI App Risk Assessment, allows admins to view extension usage details, configure extension-related policies, create extension approval workflows, and provides a risk score for each extension. Admins can find the new feature in the Chrome Browser Cloud Management console.

(Help Net Security)

Google finds flaws in Intel TDX after nine-month audit

After analyzing 81 potential attack vectors as part of a nine-month audit, Google has identified 10 vulnerabilities in Intel Trust Domain Extensions (TDX). TDX provides ‘confidential computing’ in a hardware-isolated environment. Google engineers say they inspected TDX firmware for issues such as arbitrary code execution (RCE), error handling and state management, and denial of service (DoS). Intel has reportedly remediated all of the issues identified by Google. The audit also enabled Google to get a deeper technical understanding of TDX and helped Intel improve its technical documentation. Google also said it is supporting Intel making the TDX firmware source code base publicly accessible and verifiably buildable.

(Infosecurity Magazine)

要查看或添加评论,请登录

社区洞察

其他会员也浏览了