At a glance.
- TransUnion says source of data breach must be third party.
- Finnish police take down dark web drug forum.
- FTC nominees call on Congress to pass privacy legislation.
- Automotive cybersecurity: vulnerabilities.
- Preemptive stress-testing of voting machines.
- TikTok will label AI-created content.
TransUnion says source of data breach must be third party.
As we noted earlier this week, a hacker is claiming to have infiltrated the systems of US credit reporting agency TransUnion, making off with data allegedly belonging to 58,505 American and European customers. The cybercriminal, who goes by the handle “USDoD,” published 3GB of the data on an underground hackers’ forum. However, as Bleeping Computer reports, TransUnion is saying there’s no evidence of any breach or data theft from their systems, claiming that any data the hacker possesses must have been stolen from a third party.
TransUnion published a statement saying they’re aware of “some limited online activity alleging that data obtained from multiple entities, including TransUnion, will be released,” and that a subsequent investigation revealed no signs of an attack on the company’s systems. What’s more, they claimed, the formatting of the released data does not match the company’s protocols, further indicating it must have been obtained from some other source. "Through our investigation, we have found that multiple aspects of the messages – including the data, formatting, and fields – do not match the data content or formats at TransUnion, indicating that any such data came from a third party," TransUnion stated. TechRadar notes that the date info in the compromised database matches that of the data stolen in a ransomware attack suffered by TransUnion’s South African headquarters in 2022.
Finnish police take down dark web drug forum.
Finnish Customs has announced that an international law enforcement operation has taken down PIILOPUOTI, a dark web marketplace used to smuggle narcotics and drug paraphernalia into Finland. In cooperation with German and Lithuanian authorities, Europol, and the European Union Agency for Criminal Justice Cooperation (Eurojust), Finnish Customs has seized the site’s web server, which operated on the encrypted Tor Network since May 2022. A statement from Finnish authorities reads, “The criminal investigation is still underway. At this point, Finnish Customs and our international cooperation partners will not provide any further information on the matter.” Finish authorities have declined to share any additional details about the operation, including whether any arrests were made.
Romanian cybersecurity tech company Bitdefender says it offered technical consulting services for the parties involved with the investigation. Senior director of the firm’s investigation and forensics unit Alexandru Catalin Cosoi told the Record, “This operation is a prime example of the public and private sector pooling resources and working together to disrupt illegal online activities…It should also serve as a wake-up call for criminals who falsely believe their infrastructures, anonymity and actions are fully protected by the dark web. They should understand if they are in the crosshairs of an international effort, they will eventually be brought to justice.” As Security Affairs notes, the takedown occurred just in time for the annual Dark Web Conference, which will be held at Europol’s headquarters in October. Europol states, “This event, restricted to law enforcement, will bring together over 180 investigators from across the world to discuss the latest criminal trends and developments on the dark web.”
FTC nominees call on Congress to pass privacy legislation.
At a confirmation hearing before the US Senate Commerce Committee yesterday, three nominees to the Federal Trade Commission (FTC) urged Congress to pass a federal privacy bill. As CyberScoop reports, the data brokerage market and artificial intelligence tech were particular topics of discussion. Andrew Ferguson, a Republican nominee and the current solicitor general for the state of Virginia, stated, “This issue is new, it’s complicated, and it’s going to affect people in a way that the commission simply can’t grapple with the way Congress can.” In the absence of nationwide legislation, Virginia is one of several US states that has passed its own privacy bill, adding to the complicated patchwork of state-level privacy legislation across the country. While Ferguson acknowledged that the FTC could spearhead federal legislation to harmonize these disparate laws, he said Congress should “take the lead.” The FTC has already initiated a rulemaking effort to address the collection of consumer data, but Democrat FTC commissioner nominee Rebecca Slaughter pointed out that some lawmakers feel that in doing so the commission has pushed the limits of its authority. Addressing Congress, she stated, “You can look at these issues much more broadly.”
Some lawmakers have expressed similar concerns about the FTC attempting to regulate AI, worrying that stiff regulations could hamper innovation. Slaughter argued that some aspects of reigning in AI do fall under The FTC’s purview, which includes preventing deceptive practices and unfair competition “Some of those may be triggered by some deployments or uses of AI, and we should be thoughtful about applying them,” Slaughter stated. That said, she noted that it’s up to Congress to determine what additional AI protections should be implemented outside of the FTC’s powers.
Automotive cybersecurity: vulnerabilities.
IOActive has published a report on automotive cybersecurity between the years 2012 and 2022, finding “a definite overall increase in vulnerabilities related to web and vendor dependencies, an interim increase in information disclosure, and an overall decrease in issues caused by failure to follow the principle of least privilege and vendor backdoors.”
The report states, “In general, IOActive observed a net positive in risk-remediation strategies that have benefited modern vehicles; however, while there is an overall decrease in the number of critical-impact and high-impact vulnerabilities, there is a net increase in the overall risk. Based on further investigation, these trends are largely the result of the new technologies in modern vehicles and supply-chain management. Although the automotive industry is ‘building better,’ there is an evident disparity in the maintenance and harmonization of new and existing systems. Explicit emerging threats include managing the Software Bill of Materials (SBOMs) and third-party vendors and a subtle trend to hyper-focus on severe threats, potentially paving the way for attack chaining.”
Preemptive stress-testing of voting machines.
CNN reports that voting machine manufacturers in the US are preemptively having cybersecurity firms stress-test their devices in advance of the 2024 elections. The tests will be conducted transparently and widely publicized. The vendors hope that such testing will head conspiracy theories off before they gain traction. One hopes the programs will have an effect, but betting on form, it seems unlikely that paranoid speculation will yield to rational presentation of carefully collected evidence.
TikTok will label AI-created content.
AI-generated content has attracted attention because of the promise (or menace) it carries of being able to create and amplify messaging at scale. TikTok is among the platforms working to come to grips with artificial intelligence. For now, TikTok will prompt users to flag content as AI-generated, if that's how they produced it. For now the mark is self-applied, and depends upon user compliance, but the service is working on methods that would automate some or all of the tagging.
Eduardo Azanza, CEO, Veridas, sees the development as a step toward greater transparency. "With TikTok joining Instagram in labeling AI-generated content, the media landscape heads in a more transparent direction. Both parent companies of the prominent social media platforms have faced harsh backlash from regulatory bodies in both the US and UK, most likely influencing their decisions to limit the dissemination of fake images and videos responsibly. With an increase in the abuses of deepfake images and videos online, AI-generated content has the potential to spread misinformation on a large scale and manipulate the public, making these labels all the more critical," he wrote in emailed comments. "AI will only continue to improve, and it has already become more challenging to distinguish authentic content from artificially generated content. Adding labels to AI-generated content protects the public from being left to decipher the two and allows for informed media consumption. As labeling AI-generated content is becoming a common practice among social media platforms, it is important for them to continue to come together to align with standards and regulations that promote the common good. That way, we continue to mitigate the harmful uses of AI, while giving users the appropriate context necessary to engage with it safely. The use of generative AI can lead to the production of synthetic identities (known as Deepfakes). Companies should look for solutions that defend a passwordless future, identifying people for who they are and not for what they know as a key to enhancing security and privacy. Currently, businesses utilize solutions provided by certified technology vendors who develop AI algorithms that can be trained to detect synthetic 'content' to protect people's identities."