Information Security News 9-23-2024

Here is What’s Illegal Under California’s 8 (and Counting) New AI Laws

Article Link: https://techcrunch.com/2024/09/19/here-is-whats-illegal-under-californias-8-and-counting-new-ai-laws/

• California has passed eight new AI laws with 30 more under review. Some of the laws passed include SB 926, which criminalized using AI-generated nude deepfakes for blackmail, and SB 981, requiring social media platforms to remove reported deepfake nudes. These laws aim to curb AI misuse, especially concerning privacy violations and digital harassment.
• SB 942 mandates that AI-generated content be watermarked, making it clear when AI tools like DALL-E create digital media. This transparency law helps the public identify AI-generated material, enhancing trust and accountability in AI content creation.
• To protect elections from AI deepfakes, California enacted laws such as AB 2655, which forces platforms like Facebook to remove or label misleading election-related deepfakes. AB 2355 requires explicit disclosure of AI-generated political ads to prevent voters from being misled by manipulated content.
• Two laws that safeguard actors’ rights: AB 2602 prohibits using AI to replicate an actor’s voice or likeness without permission. AB 1836 extends this protection to deceased performers, requiring estates’ consent for AI-generated digital replicas in media productions.

Companies Carry More Liability for AI Than They Realize

Article Link: https://www.axios.com/2024/09/16/companies-liability-ai-nyu-law-journal

• Companies using generative AI may face legal liabilities, even if they believe it’s solely the responsibility of AI developers. Existing housing, lending, and employment laws apply, regardless of AI usage, and unofficial or unauthorized AI use may increase risks associated with discrimination.
• Legal experts, including EqualAI CEO Miriam Vogel, warn that many businesses underestimate their legal exposure. AI systems, particularly unsophisticated ones, may inadvertently violate regulations, potentially leading to lawsuits.
• Courts will likely decide how existing laws, especially around intellectual property, apply to generative AI. Copyright disputes are already arising, with ongoing debates over AI’s role in fair use and copyright eligibility.

Gateways to Havoc: Overprivileged Dormant Service Accounts

Article Link: https://www.helpnetsecurity.com/2024/09/17/dormant-service-accounts/

• Dormant service accounts, often overprivileged and poorly managed, pose significant security risks. Typically becoming dormant after 90 days of inactivity, these non-human accounts lack oversight and are easy targets for attackers.
• Threat actors can exploit dormant accounts to gain unauthorized access to systems, elevate privileges, and exfiltrate sensitive data, leading to costly breaches, disruptions, and regulatory non-compliance, especially in regulated industries.
• Organizations should implement modern identity security solutions with continuous behavioral monitoring to detect and manage dormant accounts. Real-time tracking of both human and machine accounts helps enforce least-privileged access and prevent invisible gateways to sensitive systems.

Passwordless AND Keyless: The Future of (Privileged) Access Management

Article Link: https://thehackernews.com/2024/09/passwordless-and-keyless-future-of.html

• Secure Shell Protocol (SSH) keys, unlike passwords, are widely used in IT environments but are often unmanaged by traditional Privileged Access Management (PAM) solutions. SSH keys outnumber passwords by 10:1 and provide access to valuable resources, making them critical to manage.
• Traditional PAMs can only discover around 20% of SSH keys, leaving most organizations unaware of their critical credential exposure. SSH keys can be self-provisions, lack expiration, and are easily shared, increasing the risk of unauthorized access.
• Modern solutions offering ephemeral, just-in-time access eliminate the need to manage SSH keys and passwords by granting temporary access for each session. This approach secures machine-to-machine and automated connections without leaving behind unmanaged credentials.

The Current Cybersecurity Landscape: New Threats, Same Security Mistakes

Article Link: https://www.darkreading.com/vulnerabilities-threats/current-cybersecurity-landscape-new-threats-same-security-mistakes

• The 2024 Thales Data Threat Report, based on insights from nearly 3,000 respondents across 18 countries and 37 industries, reveals growing information security challenges as 93% of organizations report increased attacks.
• The rapid adoption of AI is outpacing security measures, leading to risks like data leaks. Companies should prioritize compliance with the Cybersecurity and Infrastructure Security Agency (CISA) guidelines to safeguard sensitive information and reduce breach risks by ten times.
• 48% of responders do not focus on post-quantum cryptography (PQC) despite its importance in protecting data from future quantum computing threats. Organizations should invest in PQC now to defend against “harvest now, decrypt later” attacks.
• In cloud and DevOps environments, 56% of organizations see secrets management as a top concern, with risks from exposed credentials like application programming interface (API) keys. Strengthening data-centric security and improving DevSecOps practices are needed to mitigate these vulnerabilities.
• Link to Thales’ Report: https://cpl.thalesgroup.com/data-threat-report

Chrome Introduces One-Time Permissions and Enhanced Safety Check for Safer Browsing

Article Link: https://thehackernews.com/2024/09/chrome-introduces-one-time-permissions.html

• Google has introduced new features in Chrome, including automatic Safety Check updates and one-time permission settings to enhance user control over privacy and online safety.
• Safety Check now runs in the background, revoking permissions from websites users no longer visit and flagging potentially harmful sites. It also alerts users if their Google Password Manager credentials have been compromised in data breaches.
• Users can now grant one-time permissions, such as access to the camera or microphone, on Android and Desktop. This feature enhances privacy by revoking access once the user leaves the site. These features protect against online threats and help manage data more securely.
• Link to Google’s Announcement: https://blog.google/products/chrome/google-chrome-safety-update-september-2024/

Data Disposal and Cyber Hygiene: Building a Culture of Security Within Your Organization

Article Link: https://www.helpnetsecurity.com/2024/09/19/cyber-hygiene-practices/

• Data breaches are escalating, with over 1 billion victims reported in the first half of 2024 and 74% of breaches attributed to human error, according to the 2024 Verizon Data Breach Investigations Report, which analyzed incidents involving over 5,200 breaches.
• Proper data erasure practices comply with data regulations like GDPR and CCPA to protect personally identifiable information (PII), reducing risks from data hoarding and unauthorized access. Essential cyber hygiene practices include multi-factor authentications (MFA), strong passwords, authorized access controls, regular software updates, and secure data disposal.
• Building a culture of security requires leadership involvement in policy-making, employee training, and regular audits of information security practices, may prevent upwards of 98% of cyberattacks.
• Link to Verizon’s Report: https://www.verizon.com/about/news/2024-data-breach-investigations-report-vulnerability-exploitation-boom

Concerns Over Supply Chain Attacks on US Seaports Grow

Article Link: https://www.darkreading.com/ics-ot-security/concerns-supply-chain-attacks-us-seaports-grow

• A report by the House Select Committee on the Chinese Communist Party revealed that 80% of US maritime port cranes are made by China’s ZPMC, which retains remote access via unmonitored cellular modems. This raises serious cybersecurity concerns, as China could exploit these vulnerabilities in critical US infrastructure during future conflicts.
• The committee recommends disabling the cranes’ cellular modems, installing security monitoring systems, and prioritizing protections at critical ports like Guam, which supports US military operations. These proposed actions aim to reduce the risk of remote cyber-physical attacks.
• US ports, responsible for 40% of the value of international freight, are vulnerable to cyberattacks. Remediation includes treating digital access like physical access, patching software vulnerabilities, and monitoring remote access to prevent disruptions that could severely impact the economy.
• Link to the House Committee’s Report: https://homeland.house.gov/2024/09/12/new-investigation-by-house-homeland-select-committee-on-the-ccp-finds-potential-chinese-threats-to-u-s-port-infrastructure-security/

Prison Just Got Rougher as Band of Heinously Violent Cybercrims Sentenced to Lengthy Stints

Article Link: https://www.theregister.com/2024/09/16/prison_just_got_rougher_as/

• Remy Ra St Felix, a 25-year-old Floridian, was sentenced to 47 years in prison for orchestrating violent crimes, including kidnapping and cryptocurrency theft, after leading a gang that stole over $3.5 million since 2020.
• One of the most shocking incidents involved a home invasion in North Carolina, where St Felix and his accomplices zip-tied an elderly couple at gunpoint, threatening severe harm to extract access to their cryptocurrency wallets, resulting in the theft over $150,000 in crypto.
• The gang’s criminal activities evolved from non-violent SIM-swapping to brutal home invasions, using encrypted messaging to plan their attacks and coordinate with international accomplices, with several members now facing sentences ranging from 12 to 25 years.