US launches “Shields Ready” campaign
DHS, CISA, and FEMA announced this new campaign to promote overall resiliency and security for critical national infrastructure. If it sounds familiar, CISA launched a “Shield Up” campaign previously. Shields Ready focuses on broad strategies to prepare critical infrastructure for disruption. Shields Up is more about time-sensitive actions for specific risks. This new campaign asks infrastructure providers to identify the most critical assets for operations, consider a range of threats of disruption and evaluate their actual risk, develop a risk management plan, and maintain realistic incident response.
Microsoft and Meta announced AI imagery rules
Microsoft President Brad Smith announced the company will offer a new tool to fight the rise of digitally altered images ahead of the 2024 US elections. This will cryptographically watermark images and video, which will allow anyone online to see if an image is altered or created with AI. Microsoft will make the tool available initially to political candidates for free. It may eventually extend it to more groups after November.
In a similar vein, Meta announced it will require advertisers to disclose political ads with media altered or generated by software ahead of the election. The new policy will take effect in January 2024.
App Defense Alliance moves under the Linux Foundation
Google started the App Defense Alliance back in 2019, initially to help detect malicious apps in the Play Store. Since then it expanded to security assessments for apps and cloud services, as well as malware mitigation. The company announced that the ADA will not join the Linux Foundation project Joint Development Foundation as an independent organization. The move will also see Meta and Microsoft join the ADA’s steering committee. The hope is that the project will collaborate on mobile industry standards to improve app security.
ICE’s devices entice vices
The US Department of Homeland Security Office of the Inspector General issued a report on a recent investigation into equipment management and IT policies by Immigration and Customs Enforcement, or ICE. The report found MDM issues that could put sensitive data at risk. It found “thousands” of unauthorized apps on devices, ranging from third-party file transfer software, to VPN apps, and messaging platforms. It also included apps formally banned from government IT systems. ICE’s IT policies state that it doesn’t monitor data sent to these user-installed “personal applications.” Ahead of the report’s release, ICE implemented some auditor recommendations like disabling prohibited apps.
Huge thanks to our sponsor, Offsec
Microsoft makes more AI moves
The company announced a collaboration with Oracle to use its Oracle Cloud to provide additional compute resources for inference operations as part of the features in Bing Search. This will use Azure Kubernetes Service to orchestrate GPU nodes in Oracle Cloud.
In other AI news, Microsoft-owned GitHub announced a Copilot enterprise subscription tier. Previously it offered a Copilot subscription for individuals only. This new tier will cost $39 per person per month, available in February. Customers can personalize Copilot for their specific codebase and do fine-tined modifications to the models running it.
WhatsApp callers can hide locations
The popular messaging app announced a new “Protect IP Address in Calls” feature. With it, ussers can now opt-in to hide call locations. These calls will use WhatsApp servers to hide IP address metadata used to estimate location. Even though the call no longer goes over a peer-to-peer direct connection, the company said calls will remain end-to-end encrypted. WhatsApp routes group calls through its servers already. This marks the third privacy-focused feature for WhatsApp this year. In May it added a Chat Lock feature to further protect access to sensitive conversations. And in June it added a “Silence Unknown Callers” setting.
Mining crypto with Azure Automation
Researchers at SafeBreach discovered three different methods on how a cloud-based cryptominer could avoid detection while using Microsoft Azure Automation. This included finding an error in the Azure pricing calculator to let an attacker run any number of jobs without charge. Microsoft subsequently fixed that issue. Another involved using a test-job to mine crypto but setting its status to “Failed” and then creating another test job for mining. This effectively hid the mining, albeit with a limit of one job at a time. The researchers also created a proof-of-concept Python package that could mine crypto undetected. Microsoft characterized this as a “by design” implementation.
Monero Project wallet drained
A maintainer for the Monero Project disclosed that a threat actors drained its community crowdfunding system wallet in early September. This saw roughly $437,000 stolen from the wallet. The attack took place using nine separate transactions over a matter of minutes. The attack seems similar to recent wallet draining attacks impacting Atomic Wallet, which the analysts at Eliptic attributed to Lazarus Group. The Monero Project’s other wallets, including its general fund, remain unaffected.