Third Party Security Data Breach Leaves Bank of America Customers Worried and Confused
Bank of America has warned customers of a leak of their sensitive data that occurred due to a ransomware attack that breached the environment at technology partner Infosys McCamish Systems (IMS) last autumn. It’s an incident that once again highlights the importance of securing access to data and environments across third-party systems.
At least 57,028 customers were affected in the breach, which occurred when “when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications,” according to a data breach disclosure form filed in Maine by IMS, and a separate letter (PDF) sent on behalf of Bank of America to affected customers. The financial institution serves about 69 million clients in over 35 countries worldwide.
The form and letter offer different timelines for when the breach occurred. The disclosure firm claims it occurred on Oct. 29, with IMS discovering it the following day. The letter says it occurred “on or around Nov. 3.”
No matter, the attack caused some unspecified systems in IMS’ technology environment — which provides insurance process management solutions and services — to be rendered unavailable. The attack also exposed sensitive data — including the combination of people’s names or other personal identifiers with their Social Security numbers — from Bank of America deferred-compensation plans, for which the company provides services.
However, IMS noted that it “is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident,” though it “may have included” not only people’s names and SSNs, but also addresses, business email addresses, dates of birth, and other account info.
Read: https://www.darkreading.com/cyberattacks-data-breaches/bofa-warns-customers-of-data-leak-in-third-party-breach
Bill S-210 Lobby Working Hard to Foster Widespread Age Verification Technologies in Canada
Senator Julie Miville-Dechêne is the chief architect and lead defender of Bill S-210, also known as the Protecting Young Persons from Exposure to Pornography Act. The bill is controversial for many reasons, including measures that raise privacy concerns, block websites, and extend far beyond pornography sites to include social media and search engine results.
The bill started in the Senate and is now in the House of Commons, where last year Conservative, NDP, and Bloc MPs voted in favor of it before sending it to committee for further study. Although the government has called the bill “fundamentally flawed”, there may still be sufficient House support to turn it into binding legislation.
While Senator Miville-Dechêne wants to use the bill to stop underage access to sexually explicit material, a new standards initiative suggests that there may be far more extensive use of mandated age verification systems. The Digital Governance Council (DGC) is one of several organizations led by ex-BlackBerry co-founder Jim Balsillie, aimed at influencing digital and innovation policy.
The DGC includes an accredited standard-setting arm which is now promoting the development of a standard for age verification which “aims to foster the widespread adoption of age-verification technologies in Canada.”
The standard’s proposal makes clear that Bill S-210 is only the start. In fact, it argues that recent trends “compel the need for a broader application of age verification technologies” than those envisioned by the bill. In doing so, it cites the need for age verification technologies for gaming platforms, live streaming video, virtual reality, online advertising, and chat forums. With regard to Bill S-210, the proposal maintains that support for age verification should extend far more broadly.
Read: https://www.michaelgeist.ca/2024/01/bill-s-210-is-just-the-beginning-how-a-canadian-digital-lobby-group-is-promoting-a-standard-to-foster-widespread-adoption-of-age-verification-technologies-in-canada/
Facebook’s Compliance with Health Canada’s Requests Leads to Post Censorship
Big Tech’s collusion to stifle speech extends beyond the United States, although incidents centered around the US tend to garner the most attention. While many countries may remain unaware of such censorship orchestrated by major social media platforms at the government’s request, Canada has come into the spotlight as a well-known example.
After a wait of 11 months, Health Canada was compelled to release the documents, which spanned an entire two pages (sarcasm intended). These documents shed light on the Canadian government, particularly the Health Ministry, requesting Facebook to take down “at least three” user-published posts. Notably, these requests were related to the ongoing Covid situation.
The emails show Facebook was unwilling to take any risks. Despite facing significant criticism and accusations following the 2016 US election, where it was portrayed as an accomplice to largely exaggerated (if not imagined) Russian interference, the company became exceptionally eager to comply with requests.
Facebook’s response to an email from Maja Graham, Chief of Social Media in the Digital Communications Division at Health Canada and the Public Health Agency of Canada, was as follows: “I wanted to quickly follow up to confirm that we’ve removed the posts you’ve flagged and we have added this to our list of false claims so we should be able to detect and remove in the future.”
Read: https://reclaimthenet.org/facebook-censored-posts-at-health-canadas-request
Court Rejects Most Copyright Claims by Book Authors Against OpenAI
A US district judge in California has largely sided with OpenAI by dismissing the majority of claims raised by authors. These authors alleged that OpenAI’s ChatGPT, powered by large language models, was illegally trained on pirated copies of their books without their permission. The authors claimed that OpenAI’s popular chatbot, ChatGPT, essentially repackaged their original works as outputs, constituting a high-tech “grift” that seemingly violated copyright laws, as well as state laws preventing unfair business practices and unjust enrichment.
In the legal proceedings, Judge Araceli Martínez-Olguín has ruled that the authors, including Sarah Silverman, Michael Chabon, and Paul Tremblay, who initiated three separate lawsuits, failed to provide substantial evidence to support their claims, with the exception of direct copyright infringement. OpenAI had already anticipated this outcome and asserted in their motion to dismiss the cases filed last August that they expected to successfully challenge the direct infringement claim at a later stage of the proceedings.
OpenAI emphasizes that it requires not only older copyrighted materials but also current ones to ensure that the outputs of its chatbot and other AI tools align with the demands of present-day users. During this period of uncertainty, rights holders are expected to brace themselves as they await the Copyright Office’s reports. Once clarity emerges, these reports could significantly impact courts, lawmakers, and regulators, carrying substantial weight, as reported by The Times.
Read: https://arstechnica.com/tech-policy/2024/02/judge-sides-with-openai-dismisses-bulk-of-book-authors-copyright-claims/
Ivanti VPN Under Siege: SAML Vulnerability Leads to Widespread Compromises
A critical SAML vulnerability in Ivanti VPN appliances has become a focal point for cyber attackers, resulting in the injection of a previously unseen backdoor. Discovered on January 31, the flaw (CVE-2024-21893) allows opportunistic threat actors to gain persistent remote access and full control within targeted networks.
Following the disclosure, researchers identified a novel backdoor, dubbed “DSLog,” exploiting compromised Ivanti appliances. This backdoor, controlled through a basic API key mechanism, poses challenges in detection as it does not provide a status message upon contact and employs a unique hash per appliance, making cross-device identification impossible.
The mass-exploitation campaign has affected over 670+ IT infrastructures, with threat actors targeting Ivanti VPN vulnerabilities. The report advises cyber teams to conduct a factory reset with full patching for compromised Ivanti devices and those potentially targeted by state-sponsored attackers, particularly from China. While the Ivanti Integrity Checker Tool is deemed useful, the report highlights its limitations, emphasizing the importance of early mitigation, historical scans, and vigilance for suspicious behavior to ensure device integrity.
Read: https://www.darkreading.com/cloud-security/ivanti-flaw-exploited-inject-novel-backdoor
Elsewhere Online:
Study Reveals Surprising Benefits of Handwriting: Unlocking the Potential of Multiple Brain Regions
Read: https://www.zerohedge.com/medical/study-finds-handwriting-increases-brain-connectivity
Proposed Canadian Speech Law Sparks Controversy: Advocates of Fossil Fuels Could Face Jail Time
Read: https://reclaimthenet.org/canada-ndp-proposed-speech-law-calls-to-jail-those-that-praise-fossil-fuels
Facebook Marketplace Database Allegedly Leaked by IntelBroker Threat Actor
Read: https://www.hackread.com/hackers-leak-facebook-marketplace-database/
Decrypting Rhysida Ransomware’s Tactics for Data Recovery
Read: https://www.helpnetsecurity.com/2024/02/12/rhysida-ransomware-decryptor/
Urgent Security Alert: Vajraspy RAT Threat Taints Google Play with Compromised Malicious Android Apps
Read: https://latesthackingnews.com/2024/02/08/malicious-android-apps-on-google-play-store-deliver-vajraspy-rat/
Previously on #AxisOfEasy
