Category: Privacy

Razzlekhan, the self-proclaimed Crocodile of Wall Street, pleads guilty to the biggest crypto laundering scheme in history, and just how safe are you typing while on a Zoom call? Meanwhile, Graham rants about public EV chargers. All this and more is discussed in the latest edition of the award-winning "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.
Dr 90210 finds himself in a sticky situation after his patients' plastic surgery photos AND more end up in the hands of hackers, emails to the US military end up in the wrong hands, and script kiddies salivate at the thought of Business Email Compromise powered by generative AI. All this and much much more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by T-Minus Space Daily’s Maria Varmazis.

Imagine a future in which AIs automatically interpret—and enforce—laws.

All day and every day, you constantly receive highly personalized instructions for how to comply with the law, sent directly by your government and law enforcement. You’re told how to cross the street, how fast to drive on the way to work, and what you’re allowed to say or do online—if you’re in any situation that might have legal implications, you’re told exactly what to do, in real time.

Imagine that the computer system formulating these personal legal directives at mass scale is so complex that no one can explain how it reasons or works. But if you ignore a directive, the system will know, and it’ll be used as evidence in the prosecution that’s sure to follow.

This future may not be far off—automatic detection of lawbreaking is nothing new. Speed cameras and traffic-light cameras have been around for years. These systems automatically issue citations to the car’s owner based on the license plate. In such cases, the defendant is presumed guilty unless they prove otherwise, by naming and notifying the driver.

In New York, AI systems equipped with facial recognition technology are being used by businesses to identify shoplifters. Similar AI-powered systems are being used by retailers in Australia and the United Kingdom to identify shoplifters and provide real-time tailored alerts to employees or security personnel. China is experimenting with even more powerful forms of automated legal enforcement and targeted surveillance.

Breathalyzers are another example of automatic detection. They estimate blood alcohol content by calculating the number of alcohol molecules in the breath via an electrochemical reaction or infrared analysis (they’re basically computers with fuel cells or spectrometers attached). And they’re not without controversy: Courts across the country have found serious flaws and technical deficiencies with Breathalyzer devices and the software that powers them. Despite this, criminal defendants struggle to obtain access to devices or their software source code, with Breathalyzer companies and courts often refusing to grant such access. In the few cases where courts have actually ordered such disclosures, that has usually followed costly legal battles spanning many years.

AI is about to make this issue much more complicated, and could drastically expand the types of laws that can be enforced in this manner. Some legal scholars predict that computationally personalized law and its automated enforcement are the future of law. These would be administered by what Anthony Casey and Anthony Niblett call “microdirectives,” which provide individualized instructions for legal compliance in a particular scenario.

Made possible by advances in surveillance, communications technologies, and big-data analytics, microdirectives will be a new and predominant form of law shaped largely by machines. They are “micro” because they are not impersonal general rules or standards, but tailored to one specific circumstance. And they are “directives” because they prescribe action or inaction required by law.

A Digital Millennium Copyright Act takedown notice is a present-day example of a microdirective. The DMCA’s enforcement is almost fully automated, with copyright “bots” constantly scanning the internet for copyright-infringing material, and automatically sending literally hundreds of millions of DMCA takedown notices daily to platforms and users. A DMCA takedown notice is tailored to the recipient’s specific legal circumstances. It also directs action—remove the targeted content or prove that it’s not infringing—based on the law.

It’s easy to see how the AI systems being deployed by retailers to identify shoplifters could be redesigned to employ microdirectives. In addition to alerting business owners, the systems could also send alerts to the identified persons themselves, with tailored legal directions or notices.

A future where AIs interpret, apply, and enforce most laws at societal scale like this will exponentially magnify problems around fairness, transparency, and freedom. Forget about software transparency—well-resourced AI firms, like Breathalyzer companies today, would no doubt ferociously guard their systems for competitive reasons. These systems would likely be so complex that even their designers would not be able to explain how the AIs interpret and apply the law—something we’re already seeing with today’s deep learning neural network systems, which are unable to explain their reasoning.

Even the law itself could become hopelessly vast and opaque. Legal microdirectives sent en masse for countless scenarios, each representing authoritative legal findings formulated by opaque computational processes, could create an expansive and increasingly complex body of law that would grow ad infinitum.

And this brings us to the heart of the issue: If you’re accused by a computer, are you entitled to review that computer’s inner workings and potentially challenge its accuracy in court? What does cross-examination look like when the prosecutor’s witness is a computer? How could you possibly access, analyze, and understand all microdirectives relevant to your case in order to challenge the AI’s legal interpretation? How could courts hope to ensure equal application of the law? Like the man from the country in Franz Kafka’s parable in The Trial, you’d die waiting for access to the law, because the law is limitless and incomprehensible.

This system would present an unprecedented threat to freedom. Ubiquitous AI-powered surveillance in society will be necessary to enable such automated enforcement. On top of that, research—including empirical studies conducted by one of us (Penney)—has shown that personalized legal threats or commands that originate from sources of authority—state or corporate—can have powerful chilling effects on people’s willingness to speak or act freely. Imagine receiving very specific legal instructions from law enforcement about what to say or do in a situation: Would you feel you had a choice to act freely?

This is a vision of AI’s invasive and Byzantine law of the future that chills to the bone. It would be unlike any other law system we’ve seen before in human history, and far more dangerous for our freedoms. Indeed, some legal scholars argue that this future would effectively be the death of law.

Yet it is not a future we must endure. Proposed bans on surveillance technology like facial recognition systems can be expanded to cover those enabling invasive automated legal enforcement. Laws can mandate interpretability and explainability for AI systems to ensure everyone can understand and explain how the systems operate. If a system is too complex, maybe it shouldn’t be deployed in legal contexts. Enforcement by personalized legal processes needs to be highly regulated to ensure oversight, and should be employed only where chilling effects are less likely, like in benign government administration or regulatory contexts where fundamental rights and freedoms are not at risk.

AI will inevitably change the course of law. It already has. But we don’t have to accept its most extreme and maximal instantiations, either today or tomorrow.

This essay was written with Jon Penney, and previously appeared on Slate.com.

Former Prime Minister Boris Johnson wants to hand over his WhatsApp messages - or does he? And a couple of fun-loving girls from Aberdeen have come up with a sinister twist on sextortion scams. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley (from a mystery location) and Carole Theriault.

A fledgling security category referred to as Cloud-Native Application Protection Platforms (CNAPP) is starting to reshape the cybersecurity landscape.

Related: Computing workloads return on-prem

CNAPP solutions assemble a varied mix of security tools and best practices and focuses them on intensively monitoring and managing cloud-native software, from development to deployment.

Companies are finding that CNAPP solutions can materially improve the security postures of both cloud-native and on-premises IT resources by unifying security and compliance capabilities. However, to achieve this higher-level payoff, CISOs and CIOs must first bury the hatchet and truly collaborate – a bonus return.

In a ringing endorsement, Microsoft recently unveiled its CNAPP offering, Microsoft Defender for Cloud; this is sure to put CNAPP on a rising adoption curve with many of the software giant’s enterprise customers, globally. Meanwhile, Cisco on May 24 completed its acquisition of Lightspin, boosting its CNAPP capabilities, and Palo Alto Networks has continued to steadily sharpen its CNAPP chops, most recently with the acquisition of Cider Security.

At RSA Conference 2023, I counted at least 35 other vendors aligning their core services to CNAPP, in one way or another; many more seem likely to jump on the CNAPP band wagon, going forward.

Newer vendors now primarily pitching CNAPP services include Uptycs,  Runecast and Ermetic. Others range from vulnerability management (VM) stalwarts Tenable, Rapid7 and Qualys, to vendors crossing over from the cloud security posture management (CSPM) space, like Caveonix, Lacework and Wiz. Even endpoint security giants Trend Micro and Sophos have commenced pitching CNAPP solutions; so too are API security supplier Data Theorem and secure services edge (SSE) vendor Zscaler.

Winckless

CNAPP at this juncture appeals mainly to enterprises that maintain large software development communities in the public cloud, Charlie Winckless, Gartner Senior Director Analyst, told me. “CNAPP products are tied to cloud maturity,” he explains. “This will continue to grow, but other security controls will remain important as well. CNAPPs protect cloud environments and the majority of organizations will be hybrid for a significant amount of time.”

Managing dynamic risks

Several developments have converged to put CNAPP on a fast track. Massive interconnectivity at the cloud edge is just getting started and will only intensify, going forward. This portends amazing advancements for humankind – and fresh revenue streams for innovative enterprises — but first a tectonic shift in network security must fully play out.

This is because the attack surface of cloud-native applications is expanding rapidly, with malicious hackers targeting insecure code up and down the software supply chain. Ransomware, email fraud and data theft continue to run rampant aided and abetted by insecure configurations of the myriad access points connecting on-premises and cloud IT assets.

The cybersecurity industry’s competitive bent hasn’t made it easy for companies to understand, much less gain control of these escalating exposures spinning out of a such a highly dynamic operating environment. To protect new cloud-native assets, rival vendors have pushed forward an alphabet-soup of upgraded iterations of legacy tools and all-new technologies – without paying much attention to interoperability.

The result has been a stark lack of integration which has translated into an excessive volume of alerts, a good percentage of them trivial or even false. Tension between security teams trying to cope and software developers striving to innovate as fast as possible has boiled over. Something in the form of CNAPP (as coined by Gartner) was bound to come along.

According to  Gartner’s March 2023 CNAPP market guide, CNAPP solutions consolidate multiple security and protection capabilities into a single platform capable of prioritizing excessive risks. This revolves around granular monitoring and management of cloud-native applications.

This type of overarching approach to securing modern networks can iterate from legacy security technologies, such as VM or endpoint detection and response (EDR,) or  it can extend from newer services, such as software composition analysis (SCA,) cloud workload protection platforms (CWPP,) cloud infrastructure entitlements management (CIEM.)

And now Microsoft has set out to prove that it makes good sense to come at it from the operating system level. That said, the Gartner report acknowledges that CNAPP is in a very early stage and cautions that no single vendor is best-of-breed in every capability.

New level of collaboration

It may be early, but CNAPP is demonstrating that it does a few things very well: reducing complexity, for one. There’s a huge need for this. Some 80 percent of respondents to Palo Alto Networks’ 2023 State of Cloud-Native Security Report expressed the need for a centralized security solution, with 76 percent reporting that using multiple security tools has created blind spots that make it difficult to prioritize and mitigate risk.

Segal

“Stitching together disparate security tools often results in security blind spots,” says Ory Segal, CTO of Prisma Cloud, Palo Alto’s CNAPP offering. “Attempting to triage security issues reported from multiple security systems, used by different teams, is close to impossible.”

One Palo Alto customer, a well-known global multimedia organization, recently replaced several tools with Prisma Cloud, which then swiftly detected a significant number of malicious bots abusing an API search function in one of their internet-exposed cloud workloads, Segal told me.

“Once they were aware of the abuse, they enabled bot protection on the platform and saw a dramatic decrease in daily operational costs — from thousands of dollars a day to $50 a day,” he says.

Dooley

A notable intangible benefit of CNAPP is that it eases the burden on stretched-thin security teams and creates space for more productive dialogues between security analysts, software developers and IT services. This is leading to a new level of collaboration that’s making a notable difference day-to-day for companies embracing CNAPP, says Doug Dooley, CTO at Data Thereom.

At present, security analysts and software developers tussle over shifting code audits to the left, as early as possible in the software development cycle, while IT staff separately focuses on wrangling configuration settings of cloud-hosted IT infrastructure, a piecemeal approach to security. “So this idea of artifact scanning, cloud configuration hardening, and runtime protection, particularly in production, those three programs needed to merge together,” Dooley says. “And that’s what CNAPP, when it works, does really well.”

CNAPP’s emergence happens to align with another trend gaining steam. As part of getting a better handle on their use of cloud-hosted IT infrastructure, some enterprises are reverting to running certain workloads back home — in an on-premises data center, observes Michiel De Lepper, Global Enablement Manager at Runecast. This “back-migration,” he says, is happening because certain workloads are proving to be too costly to run in the cloud, namely resource-intensive AI modeling.

De Lepper

“The IT industry is always evolving and essentially that means ever-increasing complexities because you’ve got disparate environments that you somehow need to cohesively manage,” De Lepper says.

According to Gartner, CNAPP’s superpower is that it can trump complexity by ingesting telemetry, at a deep level, across all key security systems. Advanced data analytics can then be brought to bear setting in motion automated enforcement of smart policies and automated detection and response to live attacks.

Runecast, for instance, takes a proactive approach to risk-based vulnerability management, configuration management, container security, compliance auditing, remediation and reporting. This helps with compliance, at one level, but also continually improves improving a company’s overall security posture, De Lepper told me.

“It’s no longer about creating shields,” De Lepper he says. “Instead, we’re helping our customers plug all the gaps we know that the bad guys can use.”

Synergistic intergration

I heard very similar messaging from all the CNAPP solution providers I’ve reviewed for this article. Indeed, all of them are designed to consolidate some mix of security capabilities into a single platform tuned prioritize and act upon cloud-native risks, and, by extension, exposures in related infrastructure, whether it be in the public cloud, hybrid cloud or  on premises.

The suppliers argue that this leads first and foremost to enhanced visibility not just of individual components, but much more crucially of all the communications between systems – especially connections happening ephemerally in runtime and in the API realm. This is a very positive development for security analysts, software developers and IT staff who desperately need a more unified toolset to help them collectively visually risk and make the highest use of this greater visibility.

CNAPP suppliers are starting to help these three groups lower the cost of compliance and remediate security vulnerabilities much more effectively. Gartner’s Winckless cautions that some vendors may not supply true integration, nor provide a robust feedback loop. “As with many other platforms, it’s important to look for these integrations to provide synergy and not to buy simply a collection of tools that are, at best, loosely interconnected from a single vendor in the hopes of gaining advantage,” he says.

Moving forward, CNAPP seems poised to arise as a core security component of modern business networks.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Going for a jog can be bad for your privacy (but even worse for your health), and Britain's consumer finance champion finds his face is being faked. All this and more is discussed in the latest edition of the "Smashing Security" podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

The French police are getting new surveillance powers:

French police should be able to spy on suspects by remotely activating the camera, microphone and GPS of their phones and other devices, lawmakers agreed late on Wednesday, July 5.

[…]

Covering laptops, cars and other connected objects as well as phones, the measure would allow the geolocation of suspects in crimes punishable by at least five years’ jail. Devices could also be remotely activated to record sound and images of people suspected of terror offenses, as well as delinquency and organized crime.

[…]

During a debate on Wednesday, MPs in President Emmanuel Macron’s camp inserted an amendment limiting the use of remote spying to “when justified by the nature and seriousness of the crime” and “for a strictly proportional duration.” Any use of the provision must be approved by a judge, while the total duration of the surveillance cannot exceed six months. And sensitive professions including doctors, journalists, lawyers, judges and MPs would not be legitimate targets.