Of course, generative AI tools are the talk of the security industry this year. And Microsoft is no exception. In fact, since 2018, the company has had an AI red team that attacks AI tools to find vulnerabilities and help prevent them from behaving badly.
Outside of Black Hat and Defcon coverage, we detailed the ins and outs of the data privacy that HIPPA provides people in the US, and explained how to use Google’s new “Results About You” tool to get your personal information removed from search results.
But that’s not all. Each week, we round up the security news that we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.
Your keyboard may be exposing your secrets without you even knowing it. Researchers in the UK developed a deep-learning algorithm that can figure out what a person is typing just by listening to keystrokes. In a best-case scenario (for an attacker, that is), the algorithm is 95 percent accurate. The researchers even tested it over Zoom and found it performed with 93 percent accuracy.
Now, if you’re thinking the researchers tested the attack on the noisiest mechanical keyboard they could find, you’d be wrong. They performed their tests on a MacBook Pro. And the attack doesn’t even require fancy recording equipment—a phone’s microphone works just fine. Someone who successfully carries out the attack could use it to learn a target’s passwords or snoop on their conversations. These kinds of acoustic attacks aren’t new, but this research shows they’re getting frighteningly accurate and easier to pull off in the wild.
A series of data breaches rocked the United Kingdom this week. On August 8, the Electoral Commission, the independent body responsible for overseeing elections and regulating political finances, revealed a cyberattack had exposed the data of 40 million voters to hackers. The organization has been unable to determine whether data was taken; however, it says that full names, emails, phone numbers, home addresses, and data provided during contact with the body could be impacted. “The attack has not had an impact on the electoral process,” the commission said. (Elections are run by local councils.)
The commission has, however, been criticized for how it communicated the cyberattack: The incident happened in August 2021 but was detected only in October 2022, and then finally communicated to the public nine months later. It has also been reported the breach may be linked to an unpatched Microsoft Exchange zero-day.
But that wasn’t all. The same day, the Police Service of Northern Ireland (PSNI) accidentally published the names and roles of 10,000 officers and staff in response to a Freedom of Information request. The breach, arguably, has more significant ramifications than that of the Electoral Commission. Officers working in intelligence and security services were included in the breach, which stayed online for three hours. The PSNI blamed “human error” for the breach, and the British data regulator, the Information Commissioner’s Office, has opened an investigation. (Previously, the regulator has issued guidance on making sure information is not accidentally disclosed via spreadsheets.) Since the breach, officers have expressed concerns about their safety, and the police service has been reviewing moving people to different roles for safety reasons.
North Korean hackers don’t just steal cryptocurrency, they also may have stolen Russia’s missile secrets. According to Reuters, the state-linked hacking group Lazarus breached the networks of NPO Mashinostroyeniya, a major Russian missile manufacturer, in late 2021. The breach wasn’t detected until May 2022. A researcher with the cybersecurity firm SentinelOne who discovered the breach said that the hackers would have had “the ability to read email traffic, jump between networks, and extract data,” Reuters reports.
It is unclear what exactly the Lazarus hackers stole while inside the NPO network, although North Korea did announce several updates to its missile program following the breach, so the two may be linked.
Last month, Microsoft revealed damning news: China-based hackers stole a digital key that the company uses to cryptographically sign tokens that are assigned to users when they log in to their Outlook email accounts. The hackers used this stunning access to break into the Outlook accounts of at least 25 organizations, including government bodies. But that’s only the start of the problems for Microsoft.
US senator Ron Wyden, an Oregon Democrat, sent a letter this week demanding three federal inquiries into Microsoft’s “negligent cybersecurity practices,” The Wall Street Journal reports. Wyden also asked that the Cyber Safety Review Board, which the Biden administration created to investigate cybersecurity incidents, also look into the incident. And according to Bloomberg News, the review board is already planning to do just that.
Wyden’s letter, which is dated July 27, demands that the Department of Justice, the Federal Trade Commission, and the Cybersecurity and Infrastructure Security Agency all launch investigations. Microsoft, for its part, tells the Journal that it plans to fully cooperate with any federal inquiries into the hack.