Schneier on Security

Page 40

Microsoft Takes Legal Action Against AI “Hacking as a Service” Scheme

Not sure this will matter in the end, but it’s a positive move:

Microsoft is accusing three individuals of running a “hacking-as-a-service” scheme that was designed to allow the creation of harmful and illicit content using the company’s platform for AI-generated content.

The foreign-based defendants developed tools specifically designed to bypass safety guardrails Microsoft has erected to prevent the creation of harmful content through its generative AI services, said Steven Masada, the assistant general counsel for Microsoft’s Digital Crimes Unit. They then compromised the legitimate accounts of paying customers. They combined those two things to create a fee-based platform people could use.

It was a sophisticated scheme:

The service contained a proxy server that relayed traffic between its customers and the servers providing Microsoft’s AI services, the suit alleged. Among other things, the proxy service used undocumented Microsoft network application programming interfaces (APIs) to communicate with the company’s Azure computers. The resulting requests were designed to mimic legitimate Azure OpenAPI Service API requests and used compromised API keys to authenticate them.

Slashdot thread.

Tags: AI, hacking, LLM, Microsoft

Posted on January 13, 2025 at 7:01 AM • View Comments

Friday Squid Blogging: Cotton-and-Squid-Bone Sponge

News:

A sponge made of cotton and squid bone that has absorbed about 99.9% of microplastics in water samples in China could provide an elusive answer to ubiquitous microplastic pollution in water across the globe, a new report suggests.

[…]

The study tested the material in an irrigation ditch, a lake, seawater and a pond, where it removed up to 99.9% of plastic. It addressed 95%-98% of plastic after five cycles, which the authors say is remarkable reusability.

The sponge is made from chitin extracted from squid bone and cotton cellulose, materials that are often used to address pollution. Cost, secondary pollution and technological complexities have stymied many other filtration systems, but large-scale production of the new material is possible because it is cheap, and raw materials are easy to obtain, the authors say.

Research paper.

Blog moderation policy.

Tags: academic papers, squid

Posted on January 10, 2025 at 5:06 PM •

Apps That Are Spying on Your Location

404 Media and Wired are reporting on all the apps that are spying on your location, based on a hack of the location data company Gravy Analytics:

The thousands of apps, included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating apps like Tinder, to pregnancy tracking and religious prayer apps across both Android and iOS. Because much of the collection is occurring through the advertising ecosystem—not code developed by the app creators themselves—this data collection is likely happening both without users’ and even app developers’ knowledge.

Tags: adware, cyberespionage, data collection, geolocation, hacking

Posted on January 10, 2025 at 11:27 AM • View Comments

Zero-Day Vulnerability in Ivanti VPN

It’s being actively exploited.

Tags: VPN, vulnerabilities, zero-day

Posted on January 9, 2025 at 12:16 PM • View Comments

US Treasury Department Sanctions Chinese Company Over Cyberattacks

From the Washington Post:

The sanctions target Beijing Integrity Technology Group, which U.S. officials say employed workers responsible for the Flax Typhoon attacks which compromised devices including routers and internet-enabled cameras to infiltrate government and industrial targets in the United States, Taiwan, Europe and elsewhere.

Tags: China, cyberattack, national security policy

Posted on January 7, 2025 at 7:00 AM • View Comments

Privacy of Photos.app’s Enhanced Visual Search

Initial speculation about a new Apple feature.

Tags: Apple, searches

Posted on January 6, 2025 at 7:06 AM • View Comments

Friday Squid Blogging: Anniversary Post

I made my first squid post nineteen years ago this week. Between then and now, I posted something about squid every week (with maybe only a few exceptions). There is a lot out there about squid, even more if you count the other meanings of the word.

Blog moderation policy.

Tags: squid

Posted on January 3, 2025 at 5:04 PM •

ShredOS

ShredOS is a stripped-down operating system designed to destroy data.

GitHub page here.

Tags: data destruction, operating systems

Posted on January 3, 2025 at 9:46 AM • View Comments

Google Is Allowing Device Fingerprinting

Lukasz Olejnik writes about device fingerprinting, and why Google’s policy change to allow it in 2025 is a major privacy setback.

EDITED TO ADD (1/12): Shashdot thread.

Tags: data collection, fingerprints, Google, identification, privacy, tracking

Posted on January 2, 2025 at 3:22 PM • View Comments

Gift Card Fraud

It’s becoming an organized crime tactic:

Card draining is when criminals remove gift cards from a store display, open them in a separate location, and either record the card numbers and PINs or replace them with a new barcode. The crooks then repair the packaging, return to a store and place the cards back on a rack. When a customer unwittingly selects and loads money onto a tampered card, the criminal is able to access the card online and steal the balance.

[…]

In card draining, the runners assist with removing, tampering and restocking of gift cards, according to court documents and investigators.

A single runner driving from store to store can swipe or return thousands of tampered cards to racks in a short time. “What they do is they just fly into the city and they get a rental car and they just hit every big-box location that they can find along a corridor off an interstate,” said Parks.

Tags: crime, fraud

Posted on December 31, 2024 at 7:02 AM • View Comments

← Earlier Entries Later Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.