Elsewhere online: 

• Microsoft’s Failure to Comply with Children’s Privacy Laws Over Xbox Live Gaming Service Leads to $20 Million FTC Fine
• New Shampoo Chromeloader Campaign Infecting Visitors of Fake Warez and Pirated Movie Sites
• GitHub Used as a Vector for Spreading Malware via Fake Zero-Day Exploits
• Chinese Hackers Accused of Espionage on Global Governments by Mandiant
• Unveiling Skuld: A Sophisticated Golang-Based Malware That Targets Sensitive Data

French Bill Allows Remote Mic Activation by Law Enforcement: What You Need to Know

The controversial justice bill provision allowing law enforcement to covertly activate microphones and cameras on suspects’ gadgets has been granted the go-ahead by French senators. Additionally, it lays the door for easy tracking of those who are the subject of an inquiry using geolocation data.

In particular, the “Keeper of the Seals” justice measure is cited by the government to support this action. It’s made to capture photographs and audio of people who are thought to be connected to terrorism, organized crime, or criminality.

They complain that the government ignored them while drafting took place. The Paris Bar argued that the new capability of remotely activating any electronic gadget constituted a particularly egregious violation of privacy that could not be justified by safeguarding the public order. Additionally, they raise concerns about the ambiguity surrounding the protection of attorney-client interactions, describing it as an “inadmissible breach of professional secrecy and the rights of defense.“

According to Justice Minister Eric Dupond-Moretti, there is no reason to be alarmed. He guarantees that appropriate safeguards have been put in place to prevent misuse. A crucial aspect? A judge must approve any request for monitoring made in accordance with this clause.

Read: https://reclaimthenet.org/french-bill-law-enforcement-remotely-switch-on-microphones

Conservative Version of ChatGPT Forced to Shut Down After OpenAI Said It “Failed to Conform to Requirements”

A conservative version of ChatGPT, called GIPPR, has been shut down due to pressure from OpenAI to censor the bot’s responses. Hosted on the pro-free speech and anti-censorship web browser TUSK, GIPPR was released last May and is a modified version of ChatGPT that provides its users with answers from a conservative perspective. The creators of GIPPR said that they were forced to sever ties with OpenAI after they were told that their chatbot failed to “conform to their requirements for what can or cannot be said.“

TUSK founder and CEO Jeff Bermant said in a statement to Fox Business that OpenAI told him that GIPPR was not in compliance with its policies, which were “specifically related to deceptive activity and coordinated inauthentic behavior” and that they needed to “keep users and third parties safe.” The actions of OpenAI appear to many conservatives as another example of attempted censorship from the left.

“The GIPPR bot had been modified to not be highly biased in favor of a leftist agenda, something which seems to be of critical importance to the original creators of ChatGPT,” Bermant said in the statement. “Tusk had produced the only AI bot in operation which actually was fair and balanced and did not promote a radical leftist agenda.” TUSK said it is currently exploring how to make GIPPR operational again and urged users to help them to support defending free speech on the internet.

“Until they find a solution to get it back online, the world of AI will remain highly unbalanced,” Bermant added.

Read: https://www.theepochtimes.com/creator-of-conservative-chatbot-powered-by-chatgpt-says-openai-tried-to-censor-content_5320420.html

Unveiling a New Russian APT Group: Microsoft Links Them to Wiper Attacks in Ukraine

Microsoft security experts have publicly identified a new APT group associated with the GRU, the General Staff’s Main Intelligence Directorate of Russia, and issued a warning that the threat actor was involved in assaults using the damaging wiper virus that targeted organizations in Ukraine.

“[The] emergence of an unusual GRU affiliated actor, especially one that has carried out destructive cyber operations likely supporting broader military objectives in Ukraine, is an important shift in the Russian cyber threat landscape,” Microsoft stated, noting that Cadet Blizzard was the company that created the infamous WhisperGate wiper malware that wiped the Master Boot Record (MBR) of computers in Ukraine.

Researchers discovered that the actor infiltrates compromised networks for months and keeps a foothold there, frequently stealing data before causing disruptions.

Microsoft called some of Cadet Blizzard’s activity “haphazard” and claimed to have found proof that at least one Russian private sector company had given the hackers material support by giving them operational support during the WhisperGate damaging attack.

Read: https://www.securityweek.com/microsoft-outs-new-russian-apt-linked-to-wiper-attacks-in-ukraine/

Critical Flaw in Fortinet’s FortiOS SSL-VPN Patched: Users Urged to Upgrade Systems

Attackers may have exploited a flaw in Fortinet’s FortiOS SSL-VPN in “a limited number of cases, ” affecting users in government, manufacturing, and critical infrastructure sectors. The company has issued a fix for the vulnerability, tracked as CVE-2023-27997/FG-IR-23-097) and rated it as critical that it is urging customers to apply as they “monitor the situation,” according to a blog post published by Fortinet this week.

According to the post, exploitation of the flaw can produce “data loss and OS and file corruption” for victims, which is why it’s imperative for customers affected to update systems.

“If the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release,” Carl Windsor, Fortinet’s senior vice president of product technology, wrote in the post. “If the customer is not operating SSL-VPN the risk of this issue is mitigated — however, Fortinet still recommends upgrading.“

The heap-based buffer overflow pre-authentication vulnerability affects FortiOS and FortiProxy SSL-VPN and can allow unauthenticated attackers to gain remote code execution (RCE) via maliciously crafted requests, according to Fortinet. FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5 — released by the vendor on Friday — patch the vulnerability.

Fortinet found the flaw in an audit of its SSL-VPN platform after the rampant exploitation of another vulnerability, CVE-2022-42475 — which, upon discovery, was a zero-day bug — in January.

“This audit, together with a responsible disclosure from a third-party researcher, led to the identification of certain issues that have been remediated in the current firmware releases,” Windsor wrote.

Read: https://www.darkreading.com/vulnerabilities-threats/fortinet-patched-critical-flaw-may-have-been-exploited

US Intelligence Agencies Flouting the Law to Buy Information About American Citizens

The US government has been secretly amassing a large amount of “sensitive and intimate information” on its citizens, a group of senior advisers informed Avril Haines, director of national intelligence, over a year ago.

Haines had first tasked her advisers in late 2021 with untangling a web of secretive business arrangements between commercial data brokers and US intelligence community members. What that report ended up saying constitutes a nightmare scenario for privacy defenders.

“This report reveals what we feared most,” says Sean Vitka, a policy attorney at the nonprofit Demand Progress. “Intelligence agencies are flouting the law and buying information about Americans that Congress and the Supreme Court have made clear the government should not have.”

In the shadow of years of inaction by the US Congress on comprehensive privacy reform, a surveillance state has been quietly growing in the legal system’s cracks. Little deference is paid by prosecutors to the purpose or intent behind limits traditionally imposed on domestic surveillance activities. As the framework guarding what privacy Americans do have grows increasingly frail, opportunities abound to split hairs in court over whether such rights are even enjoyed by our digital counterparts.

“I’ve been warning for years that if using a credit card to buy an American’s personal information voids their Fourth Amendment rights, then traditional checks and balances for government surveillance will crumble,” Ron Wyden, a US senator from Oregon, says.

The Office of the Director of National Intelligence (ODNI) did not immediately respond to a request for comment. WIRED was unable to reach any members of the senior advisory panel, whose names have been redacted in the report. Former members have included ex-CIA officials of note and top defense industry leaders.

Read: https://www.wired.com/story/odni-commercially-available-information-report/


Elsewhere online: 

Microsoft’s Failure to Comply with Children’s Privacy Laws Over Xbox Live Gaming Service Leads to $20 Million FTC Fine
Read: https://www.cpomagazine.com/data-protection/20-million-fine-issued-to-microsoft-by-ftc-over-xbox-childrens-privacy-violations/

New Shampoo Chromeloader Campaign Infecting Visitors of Fake Warez and Pirated Movie Sites
Read: https://www.bleepingcomputer.com/news/security/new-shampoo-chromeloader-malware-pushed-via-fake-warez-sites/

GitHub Used as a Vector for Spreading Malware via Fake Zero-Day Exploits
Read: https://www.bleepingcomputer.com/news/security/fake-zero-day-poc-exploits-on-github-push-windows-linux-malware/

Chinese Hackers Accused of Espionage on Global Governments by Mandiant
Read: https://techcrunch.com/2023/06/15/mandiant-china-hackers-barracuda-espionage-governments/

Unveiling Skuld: A Sophisticated Golang-Based Malware That Targets Sensitive Data
Read: https://thehackernews.com/2023/06/new-golang-based-skuld-malware-stealing.html

 Previously on #AxisOfEasy