Security News for the Week Ending December 22, 2023
Low Code/No Code Apps Not A Security Nirvana
Just because the computer is generating much of the code does not mean the software doesn’t have bugs or is secure. In fact, since many times non-developers are using the tools, the code may be less secure. Details at The Hacker News
As If Twitter Doesn’t Have Enough Problems, EU Now Investigating DSA Violations
The EU Digital Services Act, which covers transparency, moderation, illegal content, deceptive design practices and other requirements for large service providers is the reason that the EU has started an investigation of Twitter. I am sure this will long and drawn out, but definitely not pretty. Credit: The Record
Comcast/Xfinity Issues Mass Password Reset but Doesn’t Say Why
I always wonder what a company’s strategy is when they do something like a mass password reset but don’t say why. Do they think that people won’t find out? Comcast got compromised by the recent CitrixBleed attack and lost data on over 35 million customers. The data included the usual including secret questions and answers, with analysis continuing. If you reuse secret questions/answers, now would be a good time to stop doing that. Credit: Bleeping Computer
Anthropic AI Will Now Defend Customers Against Copyright Claims
Anthropic (the company behind the Claude AI model) has updated its terms of service to include indemnification for customers against copyright claims—including settlements: “we will defend our customers from any copyright infringement claim made against them for their authorized use of our services or their outputs, and we will pay for any approved settlements or judgments that result.” Sounds like they are concerned customers might flee. Credit: Steptoe
T-Mobile Continues its Tradition of System Breaches
Mint Mobile, a prepaid budget brand owned by T-Mobile disclosed a new data breach that exposed enough customer information to allow hackers to execute SIM swap attacks and take over customers accounts – and once that is done, they can takeover everything from email to bank accounts. T-Mobile says that they don’t store credit cards even though their web site talks about stored credit cards (maybe they tokenize card numbers). They say that credit card information wasn’t stolen. T-Mobile has had more breaches in the last few years that any other carrier, by far. Credit: Bleeping Computer
Child Sex Abuse Material (CSAM) Found in AI Dataset
I guess this should not come as a surprise as these tools vacuum up anything and everything. The LAION-5B dataset is the basis for many AI models. Researchers found over 1,000 CSAM images inside the largest training dataset. The 5B in the dataset name likely refers to the 5 billion images it contains. Researchers said that this was only part of the what they found. LAION says they are removing the dataset temporarily to get rid of those few specific images, but of course, the damage is already done since copies of this dataset are everywhere. Since the law has not caught up, there are no consequences to having CSAM (which is very illegal) inside your dataset (because how would anyone sift through 5 billion images – if you cared to do that). Credit: Vice