AI Enhanced Mutating Malware

 It's not surprising that threat actors are early technology adopters. In this case, AI enhanced malware permits what appears to be on-the-fly code mutation.

Excerpt from Cybersecurity Dive: 

"Five newly discovered malware families — FRUITSHELL, PROMPTFLUX, PROMPTSTEAL, PROMPTLOCK and QUIETVAULT — exhibit novel AI-powered capabilities, Google reported, including the ability to hide their code from security software, create attack capabilities on demand and dynamically generate scripts. 'While still nascent,” Google said, “this represents a significant step toward more autonomous and adaptive malware.'" 

https://www.cybersecuritydive.com/news/ai-powered-malware-google/804760/ 

Nothing's Funny about this one. 

Back (again) after a long hiatus

Yes, it's been a few busy, but very interesting years. With that said, my practice focus remains  cybersecurity. Pre-incident risk assessments and defensibility guidance, post incident remediation, mitigation, and helping clients work through the legal and administrative morass of incident reporting, notification, and regulatory investigation. As a result, I've becoming more involved with the ramifications of what I call upstream liability exposure for organizations that outsource core and security management to third parties. In most instances that exposure leads to litigation - and I'm here to provide some intelligence as this area of practice ramps up. And artificial intelligence is providing much of the accelerant.

Stay tuned for some less infrequent posts. 

Btw, I highly recommend creating, and fulfilling, bucket list items. A few items to check off for me: I teach a law school cybersecurity workshop as well as an artificial intelligence law and practice workshop for law students who want to be, and remain competitive in the marketplace. Pay is, well, not much, but what a giving back experience. I also wrote a cybersecurity guide for law firms. Had to scratch that itch.

Stay safe.  And still, Nothing's Funny.

 March 29, 2022 - What. A Gan? [Fraudulently] Monetizing Fake (GAN) Faces.

Think you can tell the difference? Try this test first: https://www.whichfaceisreal.com/

Then, read the Register about how business are using artificially generated faces:

Excerpt from the article:

NPR looked into DiRestra and Goldstein's claims and found more than 70 businesses linked to the fake profiles. Several of the businesses said they had hired outside marketers, but expressed surprise when told about the fake LinkedIn profiles. The businesses also denied authorizing the campaigns. 

Accounts like Ramsey's are used by companies to pitch software to potential new customers, and whenever a target responds they're redirected to a real person. With this technique, companies are able to greatly broaden their reach without having to hire new people, NPR said.

2022-03-09 - President Biden issues executive order on protection of crypto-based assets. From the Fact Sheet issued today:

Outlines First Whole-of-Government Strategy to Protect Consumers, Financial Stability, National Security, and Address Climate Risks

Digital assets, including cryptocurrencies, have seen explosive growth in recent years, surpassing a $3 trillion market cap last November and up from $14 billion just five years prior. Surveys suggest that around 16 percent of adult Americans – approximately 40 million people – have invested in, traded, or used cryptocurrencies. Over 100 countries are exploring or piloting Central Bank Digital Currencies (CBDCs), a digital form of a country’s sovereign currency.

The rise in digital assets creates an opportunity to reinforce American leadership in the global financial system and at the technological frontier, but also has substantial implications for consumer protection, financial stability, national security, and climate risk. The United States must maintain technological leadership in this rapidly growing space, supporting innovation while mitigating the risks for consumers, businesses, the broader financial system, and the climate. And, it must play a leading role in international engagement and global governance of digital assets consistent with democratic values and U.S. global competitiveness.

That is why today, President Biden will sign an Executive Order outlining the first ever, whole-of-government approach to addressing the risks and harnessing the potential benefits of digital assets and their underlying technology. The Order lays out a national policy for digital assets across six key priorities: consumer and investor protection; financial stability; illicit finance; U.S. leadership in the global financial system and economic competitiveness; financial inclusion; and responsible innovation.

Specifically, the Executive Order calls for measures to:

• Protect U.S. Consumers, Investors, and Businesses by directing the Department of the Treasury and other agency partners to assess and develop policy recommendations to address the implications of the growing digital asset sector and changes in financial markets for consumers, investors, businesses, and equitable economic growth. The Order also encourages regulators to ensure sufficient oversight and safeguard against any systemic financial risks posed by digital assets.
  
• Protect U.S. and Global Financial Stability and Mitigate Systemic Risk by encouraging the Financial Stability Oversight Council to identify and mitigate economy-wide (i.e., systemic) financial risks posed by digital assets and to develop appropriate policy recommendations to address any regulatory gaps.
  
• Mitigate the Illicit Finance and National Security Risks Posed by the Illicit Use of Digital Assets by directing an unprecedented focus of coordinated action across all relevant U.S. Government agencies to mitigate these risks. It also directs agencies to work with our allies and partners to ensure international frameworks, capabilities, and partnerships are aligned and responsive to risks.
  
• Promote U.S. Leadership in Technology and Economic Competitiveness to Reinforce U.S. Leadership in the Global Financial System by directing the Department of Commerce to work across the U.S. Government in establishing a framework to drive U.S. competitiveness and leadership in, and leveraging of digital asset technologies. This framework will serve as a foundation for agencies and integrate this as a priority into their policy, research and development, and operational approaches to digital assets.
  
• Promote Equitable Access to Safe and Affordable Financial Services by affirming the critical need for safe, affordable, and accessible financial services as a U.S. national interest that must inform our approach to digital asset innovation, including disparate impact risk. Such safe access is especially important for communities that have long had insufficient access to financial services.  The Secretary of the Treasury, working with all relevant agencies, will produce a report on the future of money and payment systems, to include implications for economic growth, financial growth and inclusion, national security, and the extent to which technological innovation may influence that future.
  
• Support Technological Advances and Ensure Responsible Development and Use of Digital Assets by directing the U.S. Government to take concrete steps to study and support technological advances in the responsible development, design, and implementation of digital asset systems while prioritizing privacy, security, combating illicit exploitation, and reducing negative climate impacts.
  
• Explore a U.S. Central Bank Digital Currency (CBDC) by placing urgency on research and development of a potential United States CBDC, should issuance be deemed in the national interest. The Order directs the U.S. Government to assess the technological infrastructure and capacity needs for a potential U.S. CBDC in a manner that protects Americans’ interests. The Order also encourages the Federal Reserve to continue its research, development, and assessment efforts for a U.S. CBDC, including development of a plan for broader U.S. Government action in support of their work. This effort prioritizes U.S. participation in multi-country experimentation, and ensures U.S. leadership internationally to promote CBDC development that is consistent with U.S. priorities and democratic values.

The Administration will continue work across agencies and with Congress to establish policies that guard against risks and guide responsible innovation, with our allies and partners to develop aligned international capabilities that respond to national security risks, and with the private sector to study and support technological advances in digital assets.

 

 

 

https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/09/fact-sheet-president-biden-to-sign-executive-order-on-ensuring-responsible-innovation-in-digital-assets/?utm_source=link

 

 2022-02-25

Cyberwar is Kinetic War - A warning from a contributor to CNN Reliable Sources - Relevant to any individual or enterprise:

"This is an evergreen but currently relevant tip for journalists as well as others who may be involved in sharing information about the conflict, from Harvard Shorenstein fellow Jane Lytvynenko: "Make sure your reporters, [editors], photographers, admin staff, and anyone else involved in covering this war has strong cybersecurity hygiene. Vet sources. Check documents. Be aware of phishing attack potential. 2fa everywhere via an app. Password variation. Everything." #cybersecurity #cybervigilance

2022-02-23

It's so...2022: New ISO 27002-2022 Published:002:2022 - 

ISO 27002:2022 Considerations for certifiers-in-process (and the certified) for 2022 and beyond:

1. The standard now aggregates information security, cybersecurity into a unitary document
2. Four "Controls" Themes - People, physical, technological and organizational.
3. Relevant new controls are directed to data loss prevention, IoT, and, introducing: threat intelligence.
4. Handy Annex A to 27002:2022 provides means to demonstrate cyber/information, etc. postures

The standard will likely require currently certified entities to update or create new policies.

Important Note: Annex A to ISO27001 is in the final steps of being updated (perhaps as early as Q2 2022) to put it accordance with ISO27002:2022. For re-certifying entities, this will mean a two year compressed certification time frame. Newly certifying entities should become aware of and address their activities to incorporate relevant additional, modified requirements. #cybersecurity #iot #ISO27002

Threat intelligence now includes litigation intelligence.

 

Actions

2021-09-14: Update.Your. Apple. Device. Now.

 Well, it's been a while. New firm, all virtual, same practice. Just a quick reminder to update your Apple device - now. Unless you want to donate information to NSO. And I don't mean the National Symphony Orchestra. Seriously, do it.