The MOAB may not be just recycled data after all.

On January 23, 2024, we reported on the discovery of billions of exposed records online, now commonly referred to as the “mother of all breaches” (MOAB).

Since then, the source of the dataset has been identified as data breach search engine Leak-Lookup.

Prevention platform SpyCloud compared the MOAB data with its own recaptured dataset and found at least 94% of the data was either public, old, or otherwise widely-known. That leaves a lot of new records.

From SpyCloud’s blog:

> “a small number of individual breaches totaling a large number of records – approximately 1.6 billion – appeared distinct, as compared to SpyCloud’s dataset.”

SpyCloud was able to attribute some data to what it calls “private sale breaches”, which are datasets that were sold privately or otherwise traded outside of the public space.

As Troy Hunt of HaveIBeenPwned pointed out on his blog, there is a data breach “personal stash” ecosystem. This consists of personal stashes of data breaches existing all over the place, fueling an exchange ecosystem that creates copies of billions of records of personal data over and over again.

> “The data of a significant portion of the global internet-using population, just freely flowing backwards and forwards not just in the shady corners of the dark web but traded out there in the clear on mainstream websites.”

These shady services, Hunt says, allow interested parties, including criminals, to access records that contain usernames, passwords (including in clear text), email addresses, and IP addresses. And Hunt says he feels that Leak-Lookup is one of the “bad” guys for the following reasons:

1.  After purchasing access, it returns extensive personal information exposed in data breaches including names, email addresses, usernames, phone numbers, and passwords.
2.  The operator is clearly trying to remain anonymous with no discoverable information about who is running it.
3.  It has Terms of Service that include: You may only use this service for your own personal security and research. But it does nothing to enforce that restriction.

What worries me even more is the amount of buyers and brokers for breach data. I, for one, never realized there were so many of them. That’s regardless of whether they are there to sell data to anyone that is willing to pay, or only offer it to those that rightfully own the data.

This in itself constitutes multiple risks. As we all learned in economics, demand drives up the price and the higher the price the more attractive it becomes to go after the data. And, as the MOAB breach clearly demonstrated, not everyone is as careful as they should be about accidentally exposing their collection.

And it’s not just cybercriminals that are buying this type of data. US Senator Ron Wyden released documents confirming the National Security Agency buys Americans’ internet records, which can reveal which websites they visit and what apps they use, despite a recent FTC order saying that data brokers must obtain Americans’ informed consent before selling their data. 

If you want to find out if your data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Mother of all Breaches may contain NEW breach data 

Threat actors are using all the tools at their disposal to deliver malware. Malicious ads are only one step in the chain, with compromised sites providing the free hosting and changing capabilities that can evade detection.

Nitrogen is the name given to a campaign and associated malware that have been distributed via malicious search ads. Its signature move is using Python and DLL side-loading to connect to the attacker’s command and control server.

In this blog post, we look at a recent Nitrogen campaign and specifically at how the initial payload is being served onto victims. The threat actors seem to have a preference for hosting their payloads on compromised WordPress sites, many of which are already hacked with malicious PHP shell scripts.

We also review the connection between malvertising and ransomware in the context of increased web-based attacks.

**Malicious ads leads to fake WinDirStat site**

We are tracking several different malvertising campaigns, which we typically categorize based on the payloads they deliver. However, we also sometimes see overlap in the criminal infrastructure and, more interestingly, in the malicious ads themselves.

The ads are displayed via Google searches for popular search terms related to programs used by IT and system administrators. The malvertiser behind this campaign like to register expired domain names that have a previous history, which helps them to bypass certain security checks that involve looking at the age of a domain name.

Malicious ad

The first step upon clicking on the ad consists of filtering visitors. If it doesn’t like your IP address or other client-side setting, it will display a fake page. The content looks like it was generated via Chat-GPT or some other LLM.

Decoy website

Real victims will instead be served a 302 redirect to a decoy site at windirsstat\[.\]net:

Malicious redirect

The page is designed to look identical to the real website except for the download link which points somewhere else.

Fake WinDirStat website

**Compromised sites**

The threat actor is using a number of hacked sites to host their malicious payloads which they regularly rotate through. This is not a new technique, but it is yet odd to see the fake installers cohabit with various web shells.

In fact, anyone could easily change the files or even delete them. Here, we’re simply observers and looking at the file managers that are open on the internet.

403WebShell

Nega1ve Shell

WSOX Shell

**Payload**

Nitrogen uses DLL side-loading via a signed executable to launch its payload:

Side-loading a malicious DLL

It then proceeds with running Python from a newly created folder under %appdata%:

Python running a malicious file

The Python file it executes is heavily obfuscated:

Obfuscated Python file

ThreatDown will detect this malicious activity and quarantine the malicious Python file:

ThreatDown detecting and blocking the malicious Python file

Blocking the payload at this step is crucial as it is the point where it will otherwise contact its command and control server (C2):

Network traffic between victim and C2

In recent Zip installers for Nitrogen, we noticed two files likely related to their control panel. It’s worth noting that one of them is in Ukrainian language:

Panel template files

Victims are added to the attackers’ control panel for further processing. The threat actors will need to cleanup their database to remove uninteresting entries such as those generated by malware sandboxes and researchers. The remaining victim can then be divided into a team of specialists that will use post exploitation tools to further gather information and compromise the network, before launching additional payloads.

**Protecting your business from malicious ads**

Threat actors have been using online ads as a delivery vector for malware heavily since late 2022. There is a particular segment of the market related to software downloads and in particular those used in an IT or corporate environment.

Based on our own stats, we have been seeing a steady rise in reported incidents since summer 2023 with some of the major players distributing FakeBat, PikaBot, Carbanak, Nitrogen, NetSupport RAT, or Atomic Stealer.

What makes campaigns such as Nitrogen a serious threat for businesses is their known connection with ransomware. The threat actors who gain access to a compromised machine deploy adversary emulation framework tools such as Sliver before dropping ransomware, namely ALPHV/BlackCat.

Many businesses are not adequately protected when it comes to malicious ads. This is typically reflected in the tools and security software installed on endpoints, which will often focus on spam and phishing emails.

Threat actors are well aware of this, and they have been using online ads as a delivery vector for malware heavily since late 2022. Based on our own stats from tracked incidents, we have been seeing a rise in reported incidents since summer 2023.

ThreatDown protects your networks thanks to its web-based and malware blocking features. Being able to block the infrastructure used by criminals to funnel traffic from ads is critical to avoid malware even landing on endpoints.

 Nitrogen shelling malware from hacked sites 

Actions by the FCC and FTC have led to a decrease in unsollicited and scammy calls

The Federal Communications Commission (FCC) has announced that its recent actions with the Federal Trade Commission (FTC) against international robocalls appear to have had an effect.

Robocalls are automated phone calls, often associated with scams and unwanted solicitations, which can be a nuisance to individuals and businesses alike.

In November, 2023, the FCC and FTC sent separate, but coordinated, warning letters to specific gateway providers demanding these providers cease to serve as entry ways for international robocalls to the US. Failure by a gateway provider to take reasonable and effective steps to prevent their networks from transmitting illegal traffic could ultimately result in an order by the FCC directing downstream providers to block and cease accepting all of the gateway provider’s traffic, they were warned.

From the reduced number of traceback requests the FCC deducts that this has had a positive effect. According to USTelecom’s Industry Traceback Group (ITG), there is a downward trend in tracebacks related to traffic entering the US network through these providers.

The ITG is a group of companies from across the wireline, wireless, VoIP, and cable industries that collaborate to trace, source, and ultimately, stop illegal robocalls.

Robocalls are not only an annoying waste of time and resources, they often serve as a prelude to more targeted scams. Scam calls in particular can result in serious financial losses and frustration. So the FCC has made combatting unlawful robocalls and malicious caller ID spoofing a top consumer protection priority.

There are apps that can help you block robocalls. Malwarebytes for iOS, for example, blocks all incoming robocalls and text message scams. The Malwarebytes iOS app also protects you from phishing attacks and malware. If, by chance, you click a malicious link or attempt to navigate to a fraudulent site, Malwarebytes will block the site from loading.

Some wireless companies are also providing services, which will display some variation of the message “possible scam” on the screen for unknown numbers that call you.

**What to do if you answer a robocall**

When you receive a call from someone outside your contact list only to hear a recorded message playing back at you, that’s a robocall.

1.  Hang up as soon as you realize that it is an automated robocall.
2.  Do not engage with the call at all.
3.  Don’t follow any instructions.
4.  Avoid giving away any personal information.
5.  Report the robocall.
    *   If you’ve lost money to a phone scam or have information about the company or scammer who called you, tell the FTC at ReportFraud.ftc.gov.
    *   If you didn’t lose money and just want to report a call, use the streamlined reporting form at DoNotCall.gov
    *   If you believe you received an illegal call or text, report it to the Federal Communications Commission (FCC).

It is important to not engage in any conversation or respond to any prompts to minimize the risk of fraud. Even the smallest snippets of your voice being recorded, can be used in scams against you or your loved ones.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Decline in robocalls is encouraging, efforts seem to be working 

An Italian investigation into privacy concerns has given ChatGPT 30 days to defend itself.

Italy’s Data Protection Authority (GPDP) has uncovered data privacy violations related to collecting personal data and age protections after an inquiry into OpenAI’s ChatGPT. OpenAI has 30 days to respond with a defense.

ChatGPT is an artificial intelligence (AI) chatbot that can engage in conversations with users, and answer their questions. It does this using natural, human-like language, a trick which is accomplished by training the underlying algorithm with large amounts of data from the internet.

Italy and ChatGPT historically have a troubled relationship. In April, 2023 ChatGPT was happy to announce that the artificial intelligence chatbot was available again in Italy after a month long block. To accomplish this the company had to meet the demands of Italy’s regulators who temporarily blocked ChatGPT over privacy concerns.

But Italy didn’t rest the case at that point. The GPDP started an investigation into data privacy violations. Around the same time the European Union’s European Data Protection Board set up a special task force to monitor ChatGPT.

The Italian authority has since concluded that elements indicate one or more potential data privacy violations without providing specific details, but added its investigation would take into account work done by the European task force.

In December of 2023 the European Union (EU) reached a provisional deal on landmark EU rules governing the use of artificial intelligence. This agreement requires Large Language Models (LLMs) such as ChatGPT and more general purpose AI systems (GPAI) to comply with transparency obligations before they are put on the market.

The GPDP noted two major concerns which are only voiced in general terms:

*   The available evidence pointed to the existence of breaches of the provisions contained in the EU.
*   It is concerned that younger users may be exposed to inappropriate content generated by the chatbot.

For those reasons Italy’s watchdog said it would like to see OpenAI:

> “implementing an age verification system and planning and conducting an information campaign to inform Italians of what happened as well as of their right to opt-out from the processing of their personal data for training algorithms.”

ChatGPT is already blocked in a number of other countries, including China, Iran, North Korea, and Russia. Which might turn out to be their loss. Time will tell.

We shouldn’t forget that we are talking about a revolutionary technology that is only just scratching the surface of its potential and going through some growing pains like a child would—a child with the knowledge and vocabulary of a library, but no idea what a secret is, let alone how to keep one.

To demonstrate the fact, Ars Technica found that ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users.

In November, 2023, researchers published a paper reporting how ChatGPT could be prompted into revealing email addresses and other private data that was included in training material. Those researchers warned that ChatGPT was the least private model they studied.

So, yes, it’s good to keep a keen eye on the developments and pace them where needed. But we should not do this to the extent that we push it away from the public eye. A child needs to be supervised, not locked in a basement.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 ChatGPT accused of breaking data protection rules 

To comply with the EU's Digital Markets Act, Apple will allow European iPhone owners to install apps obtained from outside the official App store.

Despite several warnings about the risks, Apple will allow European iPhone owners to install apps obtained from outside the official App store (sideloading).

These drastic changes are brought about to comply with the European Union’s (EU) Digital Markets Act (DMA). The Digital Markets Act (DMA) establishes a set of clearly defined objective criteria to identify “gatekeepers”. Gatekeepers are large digital platforms providing so called core platform services, such as for example online search engines, app stores, and messenger services.

The Digital Markets Act aims to regulate the gatekeeper power of the largest digital companies. The EU designated iOS, Safari, and the App Store as “core platform services” under the Digital Markets Act. According to the DMA, Apple as it is now has a monopoly in the App Store, and will no longer be allowed to use that to enforce a monopoly in payments in apps.

For reference, something similar happened when the US accused Microsoft of illegally monopolizing the web browser market for Windows. A few law cases later they reached a settlement in which Microsoft agreed to modify some of its business practices, opening up the opportunity for Windows users to switch to other browsers.

The Apple Newsroom says:

> “The changes include more than 600 new APIs, expanded app analytics, functionality for alternative browser engines, and options for processing app payments and distributing iOS apps.”

But Apple also warns very firmly about the consequences.

> “The new options for processing payments and downloading apps on iOS open new avenues for malware, fraud and scams, illicit and harmful content, and other privacy and security threats.”

Another big change is that web browsers won’t be forced to use Safari’s WebKit engine, opening the space for Chromium based browsers and a more desktop-alike feel for Firefox.

The fact that Apple only allows other browsers to drop WebKit in Europe means that browser developers are forced to make hard choices. Mozilla spokesperson Damiano DeMonte tells The Verge it’s extremely disappointed with the way things turned out.

> “We are still reviewing the technical details but are extremely disappointed with Apple’s proposed plan to restrict the newly-announced BrowserEngineKit to EU-specific apps. The effect of this would be to force an independent browser like Firefox to build and maintain two separate browser implementations — a burden Apple themselves will not have to bear.”

We asked Malwarebytes Director of Core Technology and resident Apple expert Thomas Reed how he felt about the announced changes and the associated risks.

Thomas is waiting for more details as well, but he expects that Apple will use the experience it gathered with macOS by nature of its openness and only open it up only as much as it is forced to, and no more. Thomas expects Apple to impose notarization on iOS apps from outside the App Store, just as they did for macOS.

> “If they completely open up iOS to the same degree as macOS, I think there will be some inevitable malware, adware, and PUP issues. The biggest problem with iOS currently is PUPs and scam apps that manage to get past the review process. I think those will also be a problem with apps from outside the App Store, and I think Apple will combat those similarly. Which is to say, far from perfectly.”

Developers can get acquainted with these changes on the Apple Developer Support page and start testing new capabilities in the iOS 17.4 beta. The new capabilities will become available to users in the 27 EU countries around the beginning of March 2024.

Don’t rely on the fact that this will be limited to the EU. Although the most significant app policy changes apply only to EU countries, other shifts concerning cloud gaming and in-app purchases will take effect worldwide.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

 Apple warns of &#8220;privacy and security threats&#8221; after EU requires it to allow sideloading 

Explicit deepfake images of Taylor Swift caused problems on social media and caused politicians to ask for more legislation

Deepfake images of Taylor Swift have really made some serious waves. Explicit images of the popstar, generated by Artificial Intelligence (AI) were posted on social media and Telegram. The images were viewed millions of times.

The impact of the deepfake was enormous. Social media platform X (formerly known as Twitter) even blocked searches for Taylor Swift’s name, saying:

> “This is a temporary action and done with an abundance of caution as we prioritize safety on this issue.”

X’s policies say it explicitly prohibits the sharing of “synthetic, manipulated, or out-of-context media that may deceive or confuse people and lead to harm”, as well as the posting of Non-Consensual Nudity (NCN) images. But apparently it was not easy to quickly remove the images and take actions against the accounts that were posting them.

Searches for Taylor Swift and some related terms were also blocked on Instagram, instead displaying “the search terms used were sometimes associated with activities of dangerous organizations and individuals.”

The uproar about the fake images of the popstar was so loud that some politicians started calling for laws to prohibit the creation of deepfakes. While in many countries and some US states, the creation of deepfakes is prohibited, there are currently no federal laws against the sharing or creation of deepfake images.

In 2020 we discussed deepfake legislation in the United States. In a rare example of legislative haste, roughly one dozen state and federal bills were introduced in 2019 to regulate deepfakes, mostly out of fear that they could upend democracy.

Although it is doubtful that any law would have stopped the creation of the images, it might have blocked or dampened the rapid way in which the images were spread.

However, deepfakes started as a new form of pornography and most of the deepfakes created and posted online today are still of a pornographic nature. They also disproportionally target women, which should make appropriate legislation a bigger priority than being able to recognize deepfakes.

Like Adam Dodge, founder of the nonprofit End Technology-Enabled Abuse, or EndTAB, said a few years ago:

> “The reality is, when it comes to the battle against deepfakes, everybody is focused on detection, on debunking and unmasking a video as a deepfake. That doesn’t help women, because the people watching those videos don’t care that they’re fake.”

Well-known women, like actresses and musicians, are particularly at risk of falling victim to this type of abuse.

Taylor Swift herself is furious about the AI images circulating online and is considering legal action against the sick deepfake porn site hosting them.

Taylor Swift has a legal team at her disposal, but if you are the victim of “revenge porn” or other forms of non-consensual nudity, you should know it’s much easier to take down nonconsensual porn content than it used to be. A growing number of companies will voluntarily take down nonconsensual porn on their platforms, regardless of whether the victim owns the copyright.

For step-by-step instructions on how to report and take down nonconsensual porn across multiple technology platforms including Instagram, X (Twitter), Reddit, Tumblr, Google, Facebook, and TikTok, you can use Cyber Civil Rights Initiative’s new Online Removal Guide.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Deepfake Taylor Swift images circulate online, politicians call for laws to ban deepfake creation 

Senior Privacy Advocate David Ruiz speaks with Bruce Schneier about artificial intelligence, surveillance, and an era of "mass spying."

For decades, governments and companies have surveilled the conversations, movements, and behavior of the public.

And then the internet came along and made that a whole lot easier.  

Today, search engines collect our queries, browsers collect our device information, smartphones collect out locations, social media platforms collect our conversations with one another, and, depending on the country, governments either collect that same information from the companies that maintain it, or they gather it directly themselves by monitoring their people.

That’s a lot of data that, until now, has been difficult to parse at scale.

But cryptographer and computer security professional Bruce Schneier believes that’s going to change, all because of the advent of artificial intelligence.

Already equipped with reams of data, governments and companies will now be able to ask AI models to make conclusions _from_ the data, Schneier said, supercharging the human work of inquiry with the limitless scale of AI.

“Spying is limited by the need for human labor,” Schneier wrote. “AI is about to change that.”

In January, Senior Privacy Advocate David Ruiz (and host of the Lock and Code podcast) spoke with Schneier about the future of AI-enabled mass spying—the implications, the responses from the public, and whether there’s any hope in dismantling a system so deeply embedded in the modern world.

Below is an edited transcript of their conversation.

**DAVID RUIZ**: We know that mass surveillance has this “Collect it all” mentality—of the NSA, obviously, but also from companies that gather clicks and shares and locations and app downloads and all of that.

What is the mass spying equivalent of that?

**BRUCE SCHNEIER**: So, it’s “Collect it all,” but it’s “Collect different things.”

Let’s step back here.

We kind of know what mass surveillance, mass spying looks like. It’s the kind of thing we saw in former East Germany, where like 10 percent of the population spied on 90 percent of the population. And it was incredibly manpower intensive.

Now, we moved into a world of automatic mass surveillance with the rise of the internet and the rise of cheap data storage and processing. This is maybe 20 years ago, when companies and the NSA start collecting mass surveillance data, and that is metadata—the kind of data that Snowden talked about—data about data. Data from your phone, from your browser, who you spoke to, where you went, what you spent money on, what websites you visited, that’s kind of mass surveillance data.

> Spying, the difference I’m making, is about conversations.

And while computers were easily able to interpret location data and data about who you spoke to—your email “from” and “to” lines—they weren’t able to interpret what you said.  Voice conversations, text conversations, email conversations, they could do keyword searches and if you think about, Chinese censorship is based pretty naively on keyword searches. \[For instance,\] you say the bad word, you get censored. That’s still very primitive.

Spying—listening in on a conversation, knowing what people are saying—required human beings, and there weren’t enough humans to listen to everything. So, you had this automatic surveillance: We can know where everybody is, that’s easy.  But knowing what everybody’s saying, we still couldn’t do—we didn’t have the people.

As AI becomes increasingly capable of understanding and even having conversations, it can start doing the role that people used to do and engage in this kind of spying at a mass level.

Now, the question you asked started me in this monologue is what did that look like? And the answer is: We have no idea.

We kind of know what East Germany looked like, former Soviet Union. We do know what some of these countries look like. But I don’t think it’s the same. It is not this kind of mass spying by corporations. Or by democratic governments. So, we don’t know. But it’s worth at least thinking about. 

**DAVID RUIZ**: When I was trying to answer my own question, I feel like one of the potential futures here is, instead of “Collect it all,” it’s this attempt at “Know it all.”

**BRUCE SCHNEIER**: It always was “Know it all,” but now it becomes more possible.

**DAVID RUIZ**: Yeah, and I was hypothesizing that there might be companies that say “We have created a package of questions that we use on AIs that we know and trust to discover these new insights,” and \[they\] sell these packages to companies that are trying to find out XYZ and ABC about their customers, or governments about their persons.

And that already sounds awful. It sounds both boring and dreadful, which is what I think surveillance is today—it is boring operationally in terms of \[how\] we don’t see data brokers. We don’t see what gets collected every single day behind the interface of the web. But it is used so much to power the direction of the web.

**BRUCE SCHNEIER**: And my guess is that’s right. And it’s not actually boring. Certainly, the companies wanted you to think that. It is very hidden. Data brokers spent a lot of effort making sure that there’s no visibility into their industry, so we don’t know the data being collected on us.

But remember, this is still all surveillance data. It’s not the contents of your phone calls, it’s the billing information. It’s who you called, what time, how long you spoke, that kind of information. Maybe the location of your two phones when you were talking. This brings it up to another level. 

**DAVID RUIZ**: You mentioned that this is the conversations—the content of communications. And I wanted to address that immediately because I think whenever spying is discussed, a lot of folks picture someone rifling through text messages or emails. And I think some people might balk at that. They might say and reject the premise based on things like “Oh, Apple can’t look at my iMessages, and Google said it wouldn’t advertise based on email content some years ago, and my phone provider, I don’t think, is recording my phone calls.”

So, my question after those kinds of claims, is: Is that too narrow a lens to understand this future of mass spying? What am I missing when I say those things to calm myself down?

**BRUCE SCHNEIER**: I think it’s all economics. Google did realize that eavesdropping on the contents of your Gmail wasn’t terribly useful. So, they didn’t do it. Of course, they made a virtue out of it. That stuff will change.

We’re already seeing \[the questions of\] “Is this company using your data to train their AI? Will it be used to influence how an AI interacts with you?”\[And\] already we can see that the tones of voice we use with these AI chatbots is mirrored. They say they’re not storing it and using it for training—we don’t know the answer.

As this stuff becomes more valuable, as companies see a business interest in using it, of course it’s going to be used. It’s not going to be a world where we \[can\] rely on the goodness of the hearts of for-profit corporations not to abuse our privacy.

So, it’s a matter of how cheap it is. It is going to become cheap for Google to eavesdrop on the contents of everyone’s email conversations, or for Zoom to eavesdrop on all meetings? They currently say they’re not \[monitoring meetings in\] their terms of service, they’ll probably \[receive\] push back if they change it—they were already pushed back because there was a thought that Zoom would be using your information to train an AI. \[It\] turned out to not be true, but there was a little panic there. But how long does that last? 

We saw this with Facebook and their surveillance over the years and decades.

They did a new thing, there was a pushback, there’s an outcry, and after a couple months, it was the new normal. So, I don’t know where this is going to go, but the tech is moving to the point where this stuff is possible and, in fact, easy. 

**DAVID RUIZ**: We talked about the business case for \[AI-enabled mass spying\] and I wanted to ask more broadly: Who will engage in AI mass spying?

**BRUCE SCHNEIER**: The answer is going to be everybody who can.

Who are the major players here? Certainly there are corporations who are doing it for manipulation purposes. Surveillance is the business model of the internet because advertising is the business model of the internet, and advertising is convincing you to do something that you might not have done otherwise.

So, this surveillance-based manipulation is the business model, and anything that gives a company an advantage, they’re going to do. We \[already\] saw that with personalized advertising \[which is\] based on characteristics that you might not be happy sharing.

So, companies will do that.

Now, in the West, we tend not to have governments do this on their own citizens—they rely on corporations. The US government doesn’t spy on us directly, they get the spying data from corporations who do that to everybody.

You go to other countries, more totalitarian countries, and governments do engage in surveillance and will engage in spying. Here, I’m thinking about China, but other countries as well. So, very much think of it in terms of power:

> Those that have the power will engage in the behaviors because it magnifies their power. There is no surprise. 

**DAVID RUIZ**: There’s a lot of times where we could think “Why would a company do this? Why would a government do this?” And there’s a lot of alleged reasons. The NSA will say that it collects as much data as possible for national security reasons, but they’ve been saying that for decades, and the national security reason seems to change every few years, right? There’s a, there’s a “national security risk du jour.”

And it’s much easier and simpler to think of it as those that have power hope to keep that power and amass more of it.

I wanted to separately ask: We talked about corporations. We talked about governments. What about people? I have access to AI tools in a way that I don’t have access to data collection regimes.

So, are people going to spy on people?

**BRUCE SCHNEIER**:  People are already spying on people. It’s more one-on-one. There’s an entire industry of super creepy spyware that is sold to people who want to spy on their wives and girlfriends. This is kind of a gross industry, but it exists and it is used in many countries.

So, yes. But here again, the power matters, and it’s generally the more powerful spying on the less powerful in a relationship. It’s generally the man spying on the woman because that’s the power imbalance.

When you think about bulk surveillance, it’s access to the data.

I really can’t spy on my neighborhood. Sure, I can set up a camera in front of my house and watch what’s going on in my street, but that’s all I could do. I don’t have the power to put cameras everywhere. I don’t have the power to get your email or your Zoom stream.

So, I think you are going to see some use of these technologies by people who are not traditionally powerful. But in general, like all these technologies, they benefit the powerful more than the less powerful.

**DAVID RUIZ**: We know that people act differently when they know they’re being surveilled—will that also apply to mass spying?

**BRUCE SCHNEIER**: Certainly, people in the United States have lived out of this kind of regime in post-9/11. Lots of Muslims lived in a world where they were being spied on a lot.

Lots of people—Jon Penney comes to mind, there are others—have researched how the feeling that you’re under constant surveillance—or spying, they’re both the same here—leads to self-censorship.

If you think you are being watched all the time, you behave differently. We do know that there’s an enormous chilling effect on how you behave, what you do, on your conformity. And if you think you’re being watched all the time, you tend to conform. You’re not going to do something different. You’re not going to stand out.

> This seems really bad for society because that’s how society innovates. A world where people don’t try new things is a world that stagnates.

To take an easy example, about 10 years ago, I forget the year, gay marriage became legal in the United States, in all 50 states. It became the law of the land and that change was the result of a multi-decade process. For a while it was illegal and immoral, then it was illegal and moral, and then it became legal and moral.  And in order for that to happen—in order for that whole progression—somebody way back in the beginning had to try gay sex once and say: “You know, that wasn’t so bad. That was kind of fun.”

And the reason they were able to do that is that they weren’t being watched. They could do it in the privacy of their own bedroom and no one could stop them.

If you live in a world where, whether it’s gay sex or marijuana or whatever it is that becomes the mainstream moral norm over several generations, if you can’t try it, if there can’t be a counterculture of doing it, it never will become the social norm. If everybody who tried pot in the ‘50s was immediately discovered and arrested, you’d never get to legalization. You never would get a generation of people that would say, “You know, that’s not that bad. Why are we criminalizing this kind of not harmful drug?”

**DAVID RUIZ**: On the current environment that we live in, where so much surveillance happens every day—again, both from corporations and from governments—it doesn’t seem like there’s any way to dismantle it. And it feels like the potential of mass spying to produce even deeper insights means that we’ve lost the battle on surveillance. Have we lost that battle?

**BRUCE SCHNEIER**: I never think it’s too late, and that kind of fatalism doesn’t make sense when you look at history. It’s like saying in the 1200s, “Well, we tried to fight against monarchy. I guess that didn’t work. It’s too late.” Or centuries later, “You know, we tried to fight against slavery, that didn’t work.” Or, “You know, we’ll never give women the vote. That ship has sailed.”

> We, as a species, regularly make our society more moral, more ethical, more egalitarian. It’s slow, it’s bursty, but decade over decade, century over century, we are improving.

So, no, I don’t think from now until the end of our species, the level of surveillance we see today cannot be rolled back. I think that is ridiculous.

We no longer send five-year-olds up chimneys to clean them. We don’t do that. We changed. We no longer allow companies to sell pajamas that catch on fire. We changed. We can do that here.

Like the other big things, like monarchy, like slavery, like the patriarchy, these things are going to be hard to dismantle, but they are dismantlable.

Near term, I think you’re right. Near term, both companies and governments are just punch-drunk on our data, and they’re not going to give it up. But long term, lots of things are possible and will happen. 

**DAVID RUIZ**: I mean this as a high compliment: You are the most optimistic guest we’ve had on the podcast.

**BRUCE SCHNEIER**: I’m near term pessimistic and long term optimistic. Near term, I think we’re screwed. The tech monopolies are so powerful, and we saw that with social media. Both Republicans and Democrats agreed—this never happened before—that Facebook was harming our society in different ways, but it’s harming society. \[They\] called Zuckerberg in, called the other companies in, yelled at them, \[said\] something must be done, and nothing was done.

That is sheer lobbying power right there in operation.

So, near term, I don’t see any solution, but our species has handled harder problems than this. This won’t be the one that stumps us.

**DAVID RUIZ**: What do we do at this point? 

**BRUCE SCHNEIER**: I want this to be a political issue. This stuff changes when it becomes an issue that voters care about. If there is a debate question on this, if this becomes something that politicians are asked about, then change will happen, right? If it isn’t, then it is really just the lobbyists that get to decide what happens.

“What should we do?” is agitate for change. Make this political, make this something that politicians can’t ignore.

Where change is happening is the EU. You have listeners in the EU, and they will know that things are happening there. Right now, Europe is the regulatory superpower on the planet. They are the jurisdiction where we got a comprehensive data privacy law, where they are passing an AI security law, stuff that you would never see in the United States.

So, look outside the US right now, but make this political. That’s how we’re going to make it better.

But we’re fighting uphill. It’s very hard in the United States to enact policies that the money doesn’t want. Money gets its way in in US policy. And the money wants this. 

**DAVID RUIZ**: And I think disentangling money from politics in the United States is a different \[conversation\], and unfortunately we don’t have the time for it.

**BRUCE SCHNEIER**: No, surely you can solve that in half an hour.

**DAVID RUIZ**: Actually, are you booked for the next half hour?

**BRUCE SCHNEIER**: If I was able to solve that, I would be not doing what I’m doing now, because, you’re right, that might not be the most important problem, but as Professor Larry Lessig said, it’s the first problem. It’s a problem we need to solve to solve every other problem.

 In conversation: Bruce Schneier on AI-powered mass spying 

This week on the Lock and Code podcast, we speak with Bruce Schneier about a future of AI-powered mass spying.

_This week on the Lock and Code podcast…_

If the internet helped create the era of mass surveillance, then artificial intelligence will bring about an era of mass spying.

That’s the latest prediction from noted cryptographer and computer security professional Bruce Schneier, who, in December, shared a vision of the near future where artificial intelligence—AI—will be able to comb through reams of surveillance data to answer the types of questions that, previously, only humans could.  

“Spying is limited by the need for human labor,” Schneier wrote. “AI is about to change that.”

As theorized by Schneier, if fed enough conversations, AI tools could spot who first started a rumor online, identify who is planning to attend a political protest (or unionize a workforce), and even who is plotting a crime.

But “there’s so much more,” Schneier said.

“To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.”

Today, on the Lock and Code podcast with host David Ruiz, we speak with Bruce Schneier about artificial intelligence, Soviet era government surveillance, personal spyware, and why companies will likely leap at the opportunity to use AI on their customers.

> “Surveillance-based manipulation is the business model \[of the internet\] and anything that gives a company an advantage, they’re going to do.”

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

 Bruce Schneier predicts a future of AI-powered mass spying: Lock and Code S05E03 

Hewlett Packard Enterprise revealed in a filing that it was breached by Russian group Cozy Bear, similar to Microsoft.

Hewlett Packard Enterprise (HPE) has disclosed that the state-sponsored actor known as Cozy Bear (aka Midnight Blizzard), gained unauthorized access to HPE’s cloud-based email environment.

This news comes only days after Microsoft broke very similar news that it got hacked by this same state sponsored group. Cozy Bear, who is generally linked to the Russian Foreign Intelligence Service, also known as the SVR, seems to be extremely curious to find out the intelligence information several tech giants gathered about it.

HPE stated in a form K-8 filing with the U.S. Securities and Exchange Commission (SEC) that:

> “Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

So far, the ongoing investigation showed that HPE’s cloud email environment was compromised in May of 2023, at which point Cozy Bear stole a limited number of SharePoint files.

In a statement to CRN last Wednesday, HPE said the impacted cloud email system was a Microsoft Office 365 environment, and said that the attacker leveraged a compromised account to access the email environment.

The accessed data was limited to information contained in the users’ mailboxes. As the investigation stands now, the company says the incident has not had a material impact on its operations, and is reasonably unlikely to materially impact the company’s financial condition or results of operations.

It is unsure if the Microsoft and HPE incidents are linked. Even though the news came out days apart, the actual incidents were months apart: HPE in May and Microsoft in November. However, in both incidents there is a notable focus on security staff and so it appears that Cozy Bear is trying to find out what information US tech giants have about it.

Without further details though, it’s all speculation. The question is if we will ever hear these details.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

 Hewlett Packard Enterprise also searched by Cozy Bear 

A list of topics we covered in the week of January 22 to January 28 of 2024

January 25, 2024 - Chinese speaking users looking for Telegram, or LINE are being targeted with malicious ads. Instead of downloading the legitimate application, they install malware.

January 25, 2024 - ThreatDown has earned 37/37 awards over nine consecutive quarters.

January 24, 2024 - 2023 was the worst ransomware year on record for Education.

January 24, 2024 - Your smart devices may reveal information about you or your location to an ex-partner. Here's how to lock them out.

January 24, 2024 - Apple has released new security updates for several products including a patch for a zero-day vulnerability which may have been exploited.

Source

Malwarebytes