This week’s Cyber Security Headlines – Week in Review, May 1-5, is hosted by Rich Stroffolino with our guest, Allison Miller, Cybersecurity and Technology Executive
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Former Uber security chief Sullivan avoids prison in data breach case
In a story that broke late yesterday, the former chief security officer at Uber Joe Sullivan avoided prison while being sentenced for covering up the 2016 theft of company data on 50 million Uber customers while the company was being investigated by the Federal Trade Commission over a previous breach. U.S. District Judge William Orrick sentenced Sullivan to three years of probation, noted his significant past work in protecting people from the sort of crime he later concealed. He also said that Sullivan’s steps had succeeded in keeping the stolen data from being exposed.
DOJ detected the SolarWinds hack 6 months earlier than first disclosed
Kim Zetter, writing in Wired, states that the US Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, but were unaware of its significance. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. Investigators reached out to SolarWinds to assist with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In August 2020, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite.
(Wired)
‘Godfather of AI’ quits Google and warns of misinformation dangers
Geoffrey Hinton, known as the ‘Godfather of AI,’ has quit Google in order to speak freely about the dangers of AI and, in part, regrets his contribution to the field. Hinton, who helped develop Google’s AI over the past decade, said he believed the company to be a “proper steward” of the tech up until Microsoft started incorporating a chatbot into its Bing search engine. Hinton expressed concerns about the possibility of AI upending the job market and added that he was also concerned about the, “existential risk of what happens when these things get more intelligent than us.”
Data breach lawsuits on the rise
According to a new report from the law firm BakerHostetler found that more individuals impacted by data breaches are filing lawsuits against organizations, up from lawsuits filed in 1% of incidents in 2018 to 8.5%. Some of these lawsuits came from relatively small breaches, with about 10% filed impacting less than 1000 people. Overall the firm found company’s paying more on average in ransomware attack, up 17% on the year to roughly $600,000. The cost of investigating incidents also climbed, with the average cost to investigate the 20 largest network attacks up 25% on the year in 2022 to $550,000.
Thanks to today’s episode sponsor, Trend Micro
Google rolls out passkeys
The passwordless future is a little bit closer. Google rolled out support for switching to passkeys on Google accounts. Google will prompt users for a passkey when detecting suspicious activity, and users can request a one-time sign-in when using a different device. Passkeys can be revoked in Google account settings. Google accounts will also support existing password-based logins for the foreseeable future.
In related news, while not an actual passkey, the password manager Dashlane plans to rollout a a new device-based “Passwordless Login” using similar cryptographic keys. The company says it plans to open-source part of the tech for auditing and bug fixing. While Dashlane won’t use a proper passkey for logins, it will support storing passkeys in its vault.
Microsoft plans to offer private ChatGPT servers
Earlier this week, Samsung banned employees from using ChatGPT on company devices, citing concerns about leaking data. This came after it accidentally leaked sources code to the AI chatbot. It seems like there might be quite a few companies that want to use generative AI tech in a more constrained environment because the Information’s sources say Microsoft plans to offer a version of ChatGPT that will run on private servers. This seems tailored for organizations concerned about data leaks or compliance issues. The report says the service “could cost as much as 10 times what customers currently pay to use the regular version of ChatGPT.”
Drone goggles maker claims firmware sabotaged to ‘brick’ devices
Orqa, a maker of First Person View (FPV) drone racing goggles, claims that a contractor introduced code into its devices’ firmware that acted as a time bomb designed to brick them. On Saturday, Orqa started receiving reports from customers surprised to see their FPV.One V1 goggles enter bootloader mode and become unusable. The company said they found the ransomware time bomb, which had been secretly planted a few years ago “greedy former contractor,” with an intention to extract exorbitant ransom from the company.
Google to remove secure website indicators in Chrome 117
On Tuesday, Google announced that its beloved lock icon, long thought to be a sign of website security and trustworthiness, will soon be replaced with a “variant of the tune icon.” More than 99% of all web pages are now loaded in Google Chrome over HTTPS. However, Google noted they don’t want users to assume these sites are safe, pointing out that nearly all phishing sites use HTTPS, and therefore also display the lock icon. The lock icon will be changed in Chrome 117, due for release in September 2023.