There is yet another attack possible against Protected Media Path process beyond the one involving two global XOR keys. The new attack may also result in the extraction of a plaintext content key value.

    Hello All,There is yet another attack possible against Protected Media Pathprocess beyond the one involving two global XOR keys [1]. The newattack may also result in the extraction of a plaintext content keyvalue.The attack has its origin in a white-box crypto [2] implementation.More specifically, one can devise plaintext content key from white-boxcrypto data structures of which goal is to make such a reconstructiondifficult / not possible. This alone breaks one of the main securityobjective of white-box cryptography which is to protect the secret key(unbreakability) [3].Contrary to the initial (XOR key) attack, the white-box crypto attackis not limited to the given narrow time window (white-box datastructures need to be present for the time of a movie decryption /playback). Fixing it might require a completely new approach /implementation (current one is obviously flawed).In that context, white-box crypto attack seems to be more severe thanthe XOR key one.Additionally, a cryptographic check proving that extracted key valuescorrespond to real keys has been conducted for Canal+ Online, Netflix,HBO Max, Amazon Prime Video and Sky Showtime.The check relies on a digital cryptographic signature verification.Such a signature is appended at the end of each license issued byPlayReady license server.The crypto check works as following:- plaintext value of a digital signature key encrypted through ECC isextracted from a Protected Media Path process- the extracted signature key is used to calculate the AES-CMAC valueof a binary licence XMR blob- the calculated signature value is checked against the signatureappended at the end of the issued license- correct AES-CMAC value implicates correct signature key (and correctcontent key)The above mechanism is also used by Microsoft to verify thecorrectness of decrypted content keys received from a license server.It relies on the fact that signature key is part of the same encryptedlicense blob as content key. Thus, successful extraction of asignature key implicates successful extraction of a content key.In the context of no confirmation / denial [4] from the platformsindicated above as being affected, the crypto check should constitutesufficient proof to support that claim alone.Thank you.Best Regards,Adam Gowdiak----------------------------------Security Explorations -AG Security Research Labhttps://security-explorations.com----------------------------------References:[1] Microsoft Warbird and PMP security research    https://security-explorations.com/microsoft-warbird-pmp.html[2] White-box cryptography, Wikipedia    https://en.wikipedia.org/wiki/White-box_cryptography[3] White-Box Security Notions for Symmetric Encryption Schemes    https://eprint.iacr.org/2013/523.pdf[4] Microsoft DRM Hack Could Allow Movie Downloads From PopularStreaming Services    https://www.securityweek.com/microsoft-drm-hacking-could-allow-movie-downloads-from-popular-streaming-services/

Microsoft PlayReady Cryptography Weakness

Plus: Google holds off on killing cookies, Samourai Wallet founders get arrested, and GM stops driver surveillance program.

Controversial gunshot-detection company ShotSpotter has deployed more than 25,000 microphones across 170 cities worldwide. This week, WIRED and _South Side Weekly_ revealed the company may continue to provide gunshot data to police in cities even after contracts have ended. Internal emails seen by the publications suggest ShotSpotter sensors may have stayed online despite law enforcement deals having expired, raising questions about what will happen to 2,500 microphones in Chicago when its contract runs out at the end of the year.

Elsewhere, Change Healthcare finally admitted to paying a ransom to the AlphV hackers, also known as BlackCat, that extorted the medical company. Weeks ago, WIRED revealed the attackers were paid $22 million, one of the largest ransomware payments ever. However, in a statement this week the company admitted for the first time that it paid the ransom as part of its effort “to do all it could to protect patient data from disclosure.” Some of that data still found its way onto the dark web.

In another successful grift, researchers have found animators in North Korea creating artwork for major Hollywood studios. A misconfigured North Korea cloud server, discovered at the end of last year, contained thousands of animation files, notes, and working documents for productions of shows that stream on Amazon Prime Video and Max. The companies likely didn’t know workers from the Hermit Kingdom were creating the artwork, but it’s another example of how North Korea is using skilled workers to circumvent sanctions and make the regime money.

Meanwhile, Cisco revealed this week that some of its devices, called Adaptive Security Appliances, have been targeted by state-sponsored hackers who exploited two zero-day vulnerabilities in the systems. The attack, dubbed ArcaneDoor, is believed to have had an espionage focus and sources suspect China’s state-backed hackers may be the culprits.

The November presidential elections may still be months away, but the next US president will have increased surveillance capabilities. This week Joe Biden signed a controversial bill extending and enhancing Section 702 of the Foreign Intelligence Surveillance Act. FISA allows spy agencies to collect Americans’ calls, emails, and more when pursuing foreign intelligence. Critics say the changes are “a gift to any president who may wish to spy on political enemies.”

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**School Principal Framed Using AI Voice Deepfake**

In January, an Instagram account in Baltimore, Maryland, posted an alleged audio recording of local school principal Eric Eiswert making racist and antisemitic comments. Baltimore County Public Schools quickly opened an investigation into the incident. However, this week, a former athletic director at Pikesville High School was arrested after police said he used artificial intelligence software to create the fake audio clip of Eiswert. The audio included comments about “ungrateful Black kids” and disparaging remarks about the Jewish community.

Dazhon Darien, the former staff member, was arrested after being stopped in possession of a gun at an airport when officials saw there was an outstanding arrest warrant, the _Baltimore Banner_ reported. The media organization reports that Darien was charged with disrupting school activities and stalking. The fake clip was allegedly made in retaliation for the principal investigating Darien over irregular payments to his roommate.

Police reports, the _Banner_ says, indicate that the audio clip had a “profound” impact on the school principal. “It not only led to Eiswert’s temporary removal from the school but also triggered a wave of hate-filled messages on social media and numerous calls to the school,” police reports said.

Voice-cloning technology, which can fall under the broader banner of deepfake technology, has rapidly improved within the last year. Cloning tools can recreate someone’s voice to a relatively realistic level using just a few seconds of real audio. The systems have increasingly been used to impersonate politicians and scam people over the phone.

**General Motors Stops Driving Surveillance, Following Privacy Complaints**

Your car knows a lot about you—from where and how you drive, to your weight and how you sit. This week, following a series of revelations from _New York Times_ reporter Kashmir Hill, General Motors announced it will end its “Smart Driver” program and unenroll all customers. Until the reports from the _Times_, GM was sharing data with data brokers LexisNexis and Verisk, which shared it with insurers and led to high payments for some people. The OnStar Smart Driver program had been designed to promote safer driving, GM said. However, many people were not aware they had been enrolled in the system. Ten lawsuits have been filed so far about the Smart Driver program and how it shared data.

**Google Delays Killing Cookies—Again**

In January 2020, Google said it would remove third-party cookies from Chrome within two years—following Safari, Brave, Firefox, and other browsers in eradicating the tracking technology. It’s now April 2024 and the company has delayed the change for a third time, saying it’ll happen in 2025. Google’s proposed cookie replacement has faced scrutiny from competition and privacy regulators in the UK, with critics saying cookies are just being replaced by another form of tracking and suggesting the changes could further benefit Google’s ad business.

**Samourai Wallet Founders Arrested Over $2 Billion Unlawful Transactions**

Keonne Rodriguez and William Lonergan Hill, the founders of crypto-mixing service Samourai Wallet, were charged by US prosecutors this week for running an unlicensed money transfer business and conspiracy to commit money laundering. The company processed $2 billion in “unlawful transactions” and “facilitated more than $100 million in money laundering,” according to Damian Williams, the United States Attorney for the Southern District of New York, and other investigators. The charges can carry a maximum of 20 years each. The move comes as US prosecutors try to clampdown on crypto mixing services that may be used to hide funds or allow illicit behavior. Mixers Bitcoin Fog, Helix, and Tornado Cash have all faced action in recent years.

**Chinese Keyboard Vulnerabilities Could Reveal Typing**

New research from the University of Toronto’s Citizen Lab this week revealed vulnerabilities in eight Chinese keyboard apps that, if exploited, could allow everything typed to be intercepted. Up to a billion people may be impacted, the researchers say. They tested apps from major technology companies and phone makers, including Baidu, Honor, Huawei, Samsung and Tencent. “Most of the vulnerable apps can be exploited by an entirely passive network eavesdropper,” they researchers write, adding that most of the impacted companies fixed the vulnerabilities when they were reported.

School Employee Allegedly Framed a Principal With Racist Deepfake Rant

The refunds will be made to individual affected customers through thousands of PayPal payments, available to be redeemed for a limited time.

Source: Len Holsborg via Alamy Stock Photo

The Federal Trade Commission (FTC) is refunding over $5.6 million to Ring customers after a 2023 privacy settlement.

Last year the FTC filed complaints against Ring, the home security company owned by Amazon, after accusations arose that employees were spying on female customers in bedrooms and bathrooms. Not only this, but the company failed to notify and obtain consent from customers regarding use of security video footage for training purposes until 2018.

The FTC asserted that Ring had failed to restrict access to its videos, failed to gain user consent, and failed to implement security safeguards leading to "egregious violations of users' privacy."

The FTC will be making the refunds through 117,044 PayPal payments to customers, depending on the type of Ring device used during the period when unauthorized users could have accessed Ring video footage.

**About the Author(s)**

FTC Issues $5.6M in Refunds to Customers After Ring Privacy Settlement

The FTC is paying Ring customers in the US a totoal of $5.6 million over charges that the company allowed employees to access private videos.

Amazon’s Ring has settled with the Federal Trade Commission (FTC) over charges that the company allowed employees and contractors to access customers’ private videos, and failed to implement security protections which enabled hackers to take control of customers’ accounts, cameras, and videos.

The FTC is now sending refunds totaling more than $5.6 million to US consumers as a result of the settlement.

Ring LLC, which was purchased by Amazon in February 2018, sells internet-connected, home security cameras and video doorbells.

However, in a shocking lapse of security protection, it turned out that every single person working for Amazon Ring, whether they were an employee or a contractor, was able to access every single customer video, even when it wasn’t necessary for their jobs.

But that wasn’t the only issue. In May 2023, the FTC stated that:

> “Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using its customer videos to train algorithms without consent, and failing to implement security safeguards. These practices led to egregious violations of users’ privacy.”

The FTC gave the example of one employee who, over several months, viewed thousands of video recordings belonging to female users of Ring cameras that were pointed at intimate spaces in their homes such as their bathrooms or bedrooms. This didn’t stop until another employee discovered the misconduct.

The FTC is now sending 117,044 PayPal payments to US customers who had certain types of Ring devices, such as indoor cameras, during periods when the FTC alleges unauthorized users may have had access to customer videos. Customers should redeem their PayPal payment within 30 days.

“The FTC identified eligible Ring customers based on data provided by the company,” the agency told BleepingComputer, clarifying that Ring users “were eligible for a payment if their account was vulnerable because of privacy and security problems alleged in the complaint.”

Consumers who have questions about their payment should contact the refund administrator, Rust Consulting, Inc., at 1-833-637-4884, or visit the FTC website to view frequently asked questions about the refund process.

**Beware of scammers**

As always, you can expect scammers to take advantage of this news. So, it’s important to know that the FTC never asks people to pay money or provide account information to get a refund.

A payment or claim form sent as part of an FTC settlement will include an explanation of, and details about, the case. The case will be listed at ftc.gov/refunds, along with the name of the company issuing payments and a phone number for questions.

The FTC only works with four private companies to handle the refund process:

*   Analytics Consulting, LLC
*   Epiq Systems
*   JND Legal Administration
*   Rust Consulting, Inc.

Before sending any PayPal payment, the FTC will send an email from the subscribe@subscribe.ftc.gov address to issue a payment recipient. Once payments have been issued, PayPal will send an email telling recipients about their refund.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Ring agrees to pay $5.6 million after cameras were used to spy on customers 

Thousands of exposed files on a misconfigured North Korean server hint at one way the reclusive country may evade international sanctions.

For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence, spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows.

In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime.

The findings and security lapse—detailed in a report by the Stimson Center think tank's North Korea–focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant—provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing.

North Korea’s internet is a small—and fragile—space. The repressive nation only has 1,024 IP addresses and around 30 websites that connect to the global internet. While there is a limited internal intranet, only a few thousand of the country’s 26 million people can get on the internet. When they do, it’s highly controlled: These select few North Koreans can use the internet for an hour at a time and have a person sitting next to them approving their use every five minutes.

When Roy discovered the exposed cloud server, it was being updated on a daily basis. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the contents of the server, says the server likely allowed work to be sent to and from North Korean animators. The server itself is still live, but it mysteriously stopped being used at the end of February. While there is a login page, its contents can be accessed without a username and password. “I found the login page after I found all the exposed files,” Roy says.

Inside, the files contained editing comments and instructions in Chinese which were translated to Korean, the researchers write in their report. “For a lot of the animation files, we would find things like spreadsheets with details of the workflow,” Williams says. A sample of the files shared with WIRED show detailed anime images and video clips, with notes for the authors and date stamps on various files. In one instance, the report says, an animator was “asked to improve the shape of the character’s head.”

Based on the documents and drawings, the researchers were able to identify some of the shows and projects the North Koreans were working on. Some of the projects included work from season 3 of the Amazon show _Invincible_, which is produced by California-based Skybound Entertainment. There were also documents linked to Max and Cartoon Network show _Iyanu: Child of Wonder_, produced by YouNeek Studios, as well as files from a Japanese anime series and an animation studio in Japan.

Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says.

Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says.

Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment.

“We do not work with North Korean companies, or Chinese companies on _Invincible_, or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on _Invincible_,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X, the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate.

Williams says it is possible that a front company in China is used to help disguise the activity and involvement of North Koreans. The researchers were able to analyze connections to the exposed server and, despite most having their location masked by a VPN, spotted access from Spain and three Chinese cities. “All three cities are known to have many North Korean–operated businesses and are main centers for North Korea’s IT workers who live overseas,” the report says.

While Williams says the researchers did not find any identifiable names of North Korean organizations buried in the files, the country has a well-established animation company called April 26 Animation Studio, which is also known as SEK Studio. Originally set up in the 1950s, the studio has worked on hundreds of international TV shows and movies.

However, in recent years, the US Treasury Department has sanctioned SEK Studios, individuals linked to it, and various “front companies” that it says are used to “work for foreign customers.” Many of these have links to China, according to the sanctions. “SEK Studio has utilized an assortment of front companies to evade sanctions targeting the government of the DPRK and to deceive international financial institutions,” a statement issued as part of the sanctions in 2021 says.

The main aim of these efforts, says Michael Barnhart, a North Korea researcher at Mandiant, is to raise money for the North Korean regime. The country’s hackers and scammers have stolen and extorted billions of dollars to help fund its military ambitions in recent years, including from huge cryptocurrency heists. In early 2022, the FBI issued a 16-page alert warning companies that remote North Korean freelance IT workers were infiltrating businesses to earn money they could funnel back home.

“The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers.

However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I've ever seen.”

North Koreans Secretly Animated Amazon and Max Shows, Researchers Say

A major international law enforcement effort has disrupted the notorious LabHost phishing-as-a-service platform.

A major international law enforcement effort involving agencies from 19 countries has disrupted the notorious LabHost phishing-as-a-service platform.

Europol reports that the organization’s infrastructure has been compromised, its website shut down, and 37 suspects arrested, including four people in the UK linked to the running of the site, which also allegedly included the original developer of the service.

Europol’s announcement also hints that this isn’t the end of the story, and users of the platform should ready themselves for some uncomfortable encounters with law enforcement in the future. As Europol said in its release:

> A vast amount of data gathered throughout the investigation is now in the possession of law enforcement. This data will be used to support ongoing international operational activities focused on targeting the malicious users of this phishing platform.

The UK’s Metropolitan Police (“The Met”), which spearheaded the operation, says it has already contacted the criminals who used the site:

> Shortly after the platform was disrupted, 800 users received a message telling them we know who they are and what they’ve been doing. We’ve shown them we know how much they’ve paid to LabHost, how many different sites they’ve accessed and how many lines of data they’ve received. Many of these individuals will remain the focus of investigation over the coming weeks and months.

In a phishing attack, criminals use emails to trick users into entering details like passwords or credit card numbers into fake websites. The emails and websites typically mimic popular brands like UPS, Amazon, or Microsoft, and copy the format of emails sent by those companies, luring victims with things like fake security alerts.

Phishing-as-a-Service (PaaS) provides the tools and infrastructure criminals need to carry out phishing attacks on a subscription basis, so they don’t have to create and run it themselves. This lowers the barrier to entry for these kinds of crimes and puts sophisticated tools in the hands of people who wouldn’t otherwise have access to them.

LabHost was set up in 2021 and grew to become one of the largest PaaS vendors. Europol says that “with a monthly fee averaging $249, LabHost would offer a range of illicit services which were customizable and could be deployed with a few clicks.” Those services reportedly included a menu of over 170 fake websites for users to choose from, and a campaign management tool called “LabRat” that could capture two-factor (2FA) authentication codes.

The phishing platform is reported to have had 2,000 registered users and was used to create “more than 40,000 fraudulent sites.” The Met says that around 70,000 individual UK victims have been phished using the service, and that globally, it swallowed up 480,000 card numbers, 64,000 PIN numbers, and more than one million passwords.

Victims in the UK have been contacted by the Met to inform them that some of their data has been compromised. Ironically, thousands of victims being contacted in this way creates an opportunity for copycat phishing emails with Met branding. For that reason, the Met has been careful not to include any links in its communications and warns potential victims that:

> …if you receive any contact from the Met with links in, this will be fraudulent so please do not engage with this.

If you’ve been contacted by the Metropolitan Police about the LabHost breach you can find some useful guidance and support on its LabHost Disruption page.

 Law enforcement reels in phishing-as-a-service whopper 

Permiso Security announced Cloud Console Cartographer during Black Hat Asia to help defenders look inside Amazon Web Services events logs for signs of cyberattacks.

Source: Pop Tika via Shutterstock

When investigating a potential attack on cloud services, Daniel Bohannon frequently has to contend with the verbose logging of Amazon Web Services (AWS), a problem that can allow an attacker to hide in an avalanche of data.

While AWS typically produces only a single event for every programmatic API call, accessing the management console through the Web leads to an exponential increase in events, says Bohannon, a principal threat researcher with cloud identity service provider Permiso Security. In one session, for example, 81 clicks on users, workloads, and roles resulted in 5,370 events recorded in the AWS log file.

The sheer volume of events results in so much noise that it becomes hard to determine what a user is actually doing in the AWS console, the threat researcher says. For that reason, Bohannon and fellow threat researcher Andi Ahmeti plan to release an open source tool at the Black Hat Asia conference in Singapore to help security managers and incident responder consolidate cloud log events into a record of user actions.

"The idea is that you input your raw logs — and we \[show\] 100% of those raw logs — but then we enrich the data on top of that, which ... contains all the information about the events that led to those events," he says. "We all have that full signal information, which ... contains the summary, the labels, all that kind of stuff."

Historically, the volume of data in log files have made it difficult to determine the events that led up to a compromise. Sometimes the problem is that the cloud service does not log enough events to determine what happens, such as last year's criticism that Google Cloud Platform (GCP) fails to log adequate data when a user accesses a storage instance.

In other cases, the specific ways that cloud services communicate information to their customers can result in a lack of visibility, especially with the differences that companies face with multicloud use. More than half of companies have open ports undermining their security and take some two months to close the vulnerabilities. 

**AWS Produces Avalanche of Events**

For businesses using AWS, the number of events produced in a log while using the Web console can be significant. Just clicking on a list of users produces 18 events for only three identities, and that's a mild case of AWS's verbosity, says Bohannon. A user who clicks in the AWS console to view the users in the identity and access management (IAM) console will see more than 300 events produced in the logs for CloudTrail, Amazon's auditing capability.

"That number can actually get as high as 100, 300, or even 700 events, depending on the settings you have in your Web browser — all just for one click," he says. "So at a core level, every single action you take produces at least one event, but often it's dozens or sometimes even hundreds of additional events associated with it."

The researchers' open source tool, Cloud Console Cartographer, aims to turn the list of events captured by CloudTrail into a succinct timeline of actions taken by the user. The program adds comments to the cloud log that categorizes a series of captured events into signals — actual user actions.

"We want to show all of our mapping to remove as much noise as we can but still keep all the raw events," Bohannon says. "So anything that's unmapped is great, it's still evidence, and defenders can make the most sense of it."

**No Plans for Other Clouds**

Cloud Console Cartographer, which will be available on GitHub, produces an enriched log of events and has a Web interface that lists the signals in a table. Currently, 240-plus rules for classifying collections of events into user actions — that is, signals — have been created that will be used to enrich log files.

The two threat researchers intend to keep working on expanding the number of classifiers and hope that others will do the same.

Bohannon and Ahmeti may move on to developing the tool for other cloud platforms, but because different cloud providers have different ways of logging, what works for AWS will not work for Microsoft Azure or Google Cloud Platform, they say. AWS is verbose, but Azure is the opposite — its logs are so terse as to be unhelpful, Bohannon says.

"I feel like every platform, every cloud platform has unique challenges that will have to be addressed in different ways," he says. "So we might find in the future that we can integrate other cloud platforms into this, but \[for now\] we at least have plans for additional GUIs related to AWS that we are going to be working on after the initial release."

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Open Source Tool Looks for Signals in Noisy AWS Cloud Logs

Red Hat and the National Institute of Standards and Technology (NIST) are pleased to announce our third annual Cybersecurity Open Forum – Improving the Nation’s Cybersecurity. On April 24, 2024, cybersecurity experts will gather in Washington, D.C., to share best practices and strategies for successfully navigating the evolving cybersecurity landscape. As threats evolve in sophistication and scale, government and industry must adapt swiftly and effectively to protect data and infrastructure.Attendees will learn about the nature of cybersecurity vulnerabilities, strategies to enable protect

Red Hat and the National Institute of Standards and Technology (NIST) are pleased to announce our third annual Cybersecurity Open Forum – Improving the Nation’s Cybersecurity. On April 24, 2024, cybersecurity experts will gather in Washington, D.C., to share best practices and strategies for successfully navigating the evolving cybersecurity landscape. As threats evolve in sophistication and scale, government and industry must adapt swiftly and effectively to protect data and infrastructure.

Attendees will learn about the nature of cybersecurity vulnerabilities, strategies to enable protection in open cloud-based environments, and approaches to help safeguard against current and emerging threats to data and commerce. There is a special focus on space systems as a unique area that pushes the boundaries of cybersecurity use cases while it tackles modern requirements and challenges. Topics will span computing security measures, practices and policies, with a focus placed on cybersecurity around data applications in space.

Top sessions will include:

*   Keynote: The Convergence of AI, Cybersecurity, and Digital Assets: A New Dawn for Financial Infrastructure
*   Panel: Emerging Technologies for Space Systems
*   Panel: Security for AI and Autonomous Space Activity

Notable government executives scheduled to present include:

*   Dr. Dianne Poster, Senior Advisor, Material Measurement Laboratory, NIST
*   Rob Powell, Senior Advisor for Cybersecurity National Aeronautics and Space Administration (NASA)
*   Matthew Scholl, Division Chief, Computer Security Division, Information Technology Laboratory (ITL), NIST
*   Nick Leiserson, Assistant National Cyber Director for Cyber Policy and Programs, The White House

They’ll join Red Hat speakers Adam Clater, Chief Architect, Financial Services, and Michael Epley, Chief Architect and Security Strategist, as well as Keith Frederick, CISO-GEM, Viasat and Michael Greenwald, Global Head, Financial Innovation and Digital Assets, Amazon Web Services.

Secure your spot and register here.

Learn about trends and best practices from top security experts at Red Hat and NIST's Cybersecurity Open Forum

Caller ID spoofing and AI voice deepfakes are supercharging phone scams. Fortunately, we have tools that help organizations and people protect themselves against the devious combination.

Source: Ian Allenden via Alamy Stock Photo

COMMENTARY  
Three seconds of audio is all it takes to clone a voice. Vishing, or voice fraud, has rapidly become a problem many of us know only too well, impacting 15% of the population. Over three-quarters of victims end up losing money, making this the most lucrative type of imposter scam on a per-person basis, according to the US Federal Trade Commission (FTC).

When caller ID spoofing is combined with AI-based deepfake technology, fraudsters can, at very little cost and huge scale, disguise their real numbers and locations and highly convincingly impersonate trusted organizations, such as a bank or local council, or even friends and family.

While artificial intelligence (AI) is presenting all manner of new threats, the ability to falsify caller IDs is still the primary point of entry for sophisticated fraud. This has also posed serious challenges for authenticating genuine calls. Let's delve into the criminal world of caller ID spoofing.

**What's Behind the Rise in Voice Fraud?**

The democratization of spoofing technology, such as spoofing apps, has made it easier for malicious actors to impersonate legitimate caller IDs, leading to an increase in fraudulent activities conducted via voice calls. One journalist, who said she's known for her rational and meticulous nature, fell victim to a sophisticated scam that exploited her fear and concern for her family's safety. Initially contacted through a spoof call that appeared to be from Amazon, she was transferred to someone posing as an FTC investigator, who convincingly presented her with a fabricated story involving identity theft, money laundering, and threats to her safety.

These stories are becoming increasingly common. Individuals are primed to be skeptical of a withheld, international, or unknown number, but if they see the name of a legitimate company flash up on their phones, they are more likely to answer the call in an accommodating manner.

In addition to spoofing, we are also seeing a rise in AI-generated audio deepfakes. Last year in Canada, criminals scammed senior citizens out of more than $200,000 by using AI to mimic the voices of loved ones in trouble. A mother in the US state of Arizona also received a desperate call from her 15-year-old daughter claiming she'd been kidnapped; the call turned out to be AI-generated. When combined with caller ID spoofing, these deepfakes would be almost impossible for the average person to catch.

As generative AI and AI-based tools become more accessible, this kind of fraud is becoming more common. Cybercriminals don't necessarily need to make direct contact to replicate a voice because over half of people willingly share their voice in some form at least once a week on social media, according to McAfee. Nor do they need exceptional digital skills, since apps do the hard work of cloning the voice based on a short audio clip, as highlighted recently by high-profile deepfakes of US President Joe Biden and singer Taylor Swift.

Entire organizations can fall prey to voice fraud, not just individuals. All it takes is one threat actor to convince one employee to share some seemingly insignificant detail about their business over the phone, which is then used to join the dots and enable a cybercriminal to gain access to sensitive data. It's a particularly worrisome trend in industries where voice communication is a key component of customer interaction, such as banking, healthcare, and government services. Many businesses rely on voice calls for verifying identities and authorizing transactions. As such, they are particularly vulnerable to AI-generated voice fraud.

**What We Can Do About It**

Regulators, industry bodies, and businesses increasingly recognize the need for collective action against voice fraud. This could include intelligence to better understand scam patterns across regions and industries, the development of industrywide standards to improve voice call security, and tighter regulations governing reporting for network operators.

Regulators around the world are now tightening the rules around AI-based voice fraud. For instance, the US Federal Communications Commission (FCC) has made it illegal for robocalls to use either AI-generated or prerecorded voices. In Finland, the government has imposed new obligations on telecommunications operators to guard against caller ID spoofing and the transfer of scam calls to recipients. The EU is investigating similar measures, primarily driven by banks and other financial institutions that want to keep their customers safe. In all instances, efforts are underway to close the door on caller ID spoofing and smishing (fake text messages), which often serve as the entry point for more sophisticated, AI-based tactics.

Many promising detection tools in development could, in theory, drastically reduce voice fraud. They include voice biometrics, deepfake detectors, AI anomaly detection analysis, blockchain, signaling firewalls, and so on. However, cybercriminals are adept at outpacing and outwitting technological leaps, so only time will tell what will work best.

For businesses of all sizes and sectors, cybersecurity capabilities will become increasingly important for telecom services. Aside from the communications network level, businesses should establish clear policies and processes, such as multifactor authentication that uses a variety of verification methods.

Companies should also raise awareness of the most common fraud tactics. Regular training for employees should focus on recognizing and responding to scams, while customers should be encouraged to report suspicious calls.

On a consumer level, the UK's communications regulator, Ofcom, revealed that more than 41 million people were targeted by suspicious calls or texts over a three-month period in 2022. In other words, although brands and governments have been reiterating the message that legitimate businesses will never ask for money or sensitive information over the phone, continued vigilance is necessary.

The easy availability of cloning tools and spiraling crime levels have experts like the Electronic Frontier Foundation suggesting that people should agree on a family password to combat AI-based fraud attempts. It's a surprisingly low-fi solution to a high-tech challenge.

**About the Author(s)**

Senior Industry Analyst, Enea

Laura Wilber is a Senior Industry Analyst at Enea. She supports cross-functional and cross-portfolio teams with technology and market analysis, product marketing, product strategy, and corporate development. She is also an ESG Advisor & Committee Member. Her expertise includes cybersecurity and networking in enterprise, telecom, and industrial markets, and she loves helping customers meet today's challenges while musing about what the next ten years will bring.

Countering Voice Fraud in the Age of AI

One of Silicon Valley’s most influential lobbying arms joins privacy reformers in a fight against the Biden administration–backed expansion of a major US surveillance program.

A trade organization representing some of the world’s largest information technology companies—Google, Amazon, IBM, and Microsoft among them—say its members are voicing strong opposition to ongoing efforts by the Biden administration to dramatically expand a key US government surveillance authority.

The US Senate is poised to vote Thursday on legislation that would extend a global wiretap program authorized under the Foreign Intelligence Surveillance Act (FISA). Passed by the House of Representatives last week, a provision contained in the bill—known as the Reforming Intelligence and Securing America Act (RISAA)—threatens to significantly expand the scope of the spy program, helping the government to compel the assistance of whole new categories of businesses.

Legal experts argue the provision could enable the government to conscript virtually anyone with access to facilities or equipment housing communications data, forcing “delivery personnel, cleaning contractors, and utilities providers,” among others, to assist US spies in acquiring access to Americans’ emails, phone calls, and text messages—so long as one side of the communication is foreign.

A global tech trade association, the Information Technology Industry Council (ITI), is now urging Congress not to pass RISAA without removing a key provision “dramatically expanding the scope of entities and individuals covered” by the program, known as Section 702. Changes to the 702 program included in the House bill, ITI says, would only serve to send customers in the US and abroad fleeing to foreign competitors, convincing many that technology in the US is far too exposed to government surveillance.

The group’s membership includes several major equipment manufacturers, such as Ericsson, Nokia, and Broadcom, as well as large cloud storage providers like Google, Microsoft, IBM, and Salesforce. “ITI’s position is that the provision should be removed,” the group’s communications director, Janae Washington, tells WIRED. “Our positions are based on member consensus.”

The individual ITI member companies WIRED contacted for their comment on the legislation did not immediately respond or declined to comment.

The provision under fire stems from a ruling handed down by the US government’s secret surveillance court—the FISA court—that oversees the 702 program. The program is designed to target the communications of foreigners, including calls and emails to and from US citizens. To this aim, the federal statute specifies that the government may compel the assistance of businesses that fall into the category of what it calls “electronic communications service providers,” or ECSPs.

Companies like Google and AT&T have typically fallen into this category as direct providers of the services being wiretapped; however, the US government has also moved in recent years to interpret the term more broadly as part of an effort to expand the roster of entities whose assistance it’s allowed to compel.

The FISA court, in a decision backed by its own review body, pushed back against the expanded definition, telling the government that what constitutes an ECSP remains “open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision.”

More concisely: The court reminded the government that only Congress has the power to rewrite the law.

The US Intelligence Community (IC) thus began a campaign to ensure that this year’s legislation reauthorizing the 702 program redefines “ECSP” to address what it calls a “collection gap resulting from recent court opinions.”

Internal emails obtained by WIRED show that members of the House Intelligence Committee served as intermediaries for the IC in its campaign to convince Congress to support the provision. An email circulated to House members in February by Michael Calcagni, the intel committee’s deputy staff director, for instance, informed lawmakers that the “collection gap” was both “serious and dangerous” and that “contrary to unsubstantiated assertions, it would not authorize or enable the Government to conduct surveillance of any American who connects to public WiFi at a Starbucks or McDonalds.”

One of the nation’s leading FISA experts, Marc Zwillinger, a private attorney who has twice appeared before the FISA Court of Review, began raising the alarm in December over the provision, pointing to text that would allow the government to compel the assistance of “any service provider” with access to “equipment that is being or may be used to transmit or store” communications, so long as one of the recipients is a foreigner reasonably believed to be overseas.

While rejecting Zwillinger’s analysis publicly, House intel members nevertheless attempted to quietly “narrow” the provision to clamp down on any criticism, excluding a handful of business types such as senior centers, hotels, and coffee shops. In a follow-up last week, Zwillinger and other attorneys who’ve made rare appearances before the FISA court characterized the intel committee’s improvements as “marginal,” saying the need for the exclusions only served to demonstrate the government is overreaching.

The provision, Zwillinger says, continues to ensnare owners and operators of facilities housing equipment used to store and carry data, “such as data centers and buildings owned by commercial landlords, who merely have access to communications equipment in their physical space.” The text could be interpreted to extend to “delivery personnel, cleaning contractors, and utility providers.” And while the new provision excludes businesses like coffee shops, those businesses typically rely on cloud computer services whose equipment remains subject to the 702 program’s expanded scope.

“Although the effects of this provision may be unintentional, its impacts would be very real,” ITI’s senior vice president of policy, John Miller, says. “The language in the provision vastly expands the US government’s warrantless surveillance capabilities, damaging the competitiveness of US technology companies large and small, and arguably imperiling the continued global free flow of data between the US and its allies.”

Should it become apparent to the world that America’s top IT companies—data centers, cloud providers, and security services alike—have been turned into a watering hole for the US Intelligence Community, many customers will “likely look to foreign competitors,” Miller says, companies whose technologies are viewed as less exposed to clandestine government requests.

“There is no greater responsibility of the US government than to provide for the security of the country,” he says, adding it was incumbent upon to craft legislation to address national security concerns “in a focused way.”

_Updated 4/17/2024, 6:30 pm ET: Added additional details clarifying ITI's position on RISAA._

Tag

#amazon