The Securities and Exchange Commission has provided more details about how its official X account was compromised earlier this month. In a statement, the regulator confirmed that it had been the victim of a SIM swapping attack and that its X account was not secured with multi-factor authentication (MFA) at the time it was accessed.
“The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," it said, referring to a common scam in which attackers persuade customer service representatives to transfer phone numbers to new devices. “Once in control of the phone number, the unauthorized party reset the password for the @SECGov account.”
The hack of its X account, which was taken over in order to falsely claim that bitcoin ETFs had been approved, has raised questions about SEC’s security practices. Government-run social media accounts are typically required to have MFA enabled. The fact that one as high-profile and with potentially market-moving abilities like @SECGiv would not be using the extra layer of security has already prompted questions from Congress.
In its statement, the SEC said that it asked X’s support staff to disable MFA last July following “issues” with its account access. “Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9,” it said. “MFA currently is enabled for all SEC social media accounts that offer it.”
While the lack of MFA likely made it much easier to take over the SEC’s account, there are still numerous questions about the exploit, including how those responsible knew which phone was associated with the X account, how the unnamed telecom carrier fell for the scam and, of course, who was behind it. The regulator said it’s investigating these questions, along with the Department of Justice, FBI, Homeland Security and its own Inspector General.
This article originally appeared on Engadget at https://www.engadget.com/the-sec-says-its-x-account-was-taken-over-with-a-sim-swap-attack-004542771.html?src=rss
Another lawmaker is pushing the Securities and Exchange Commission for more information about its security practices following the hack of its verified account on X. In a new letter to the agency’s Inspector general, Senator Ron Wyden, called for an investigation into “the SEC’s apparent failure to follow cybersecurity best practices.”
The letter, which was first reported byAxios, comes days after the SEC’s official X account was taken over in order to post a tweet claiming that spot bitcoin ETFs had been approved by the regulator. The rogue post temporarily juiced the price of bitcoin and forced SEC chair Gary Gensler to chime in from his X account that the approval had not, in fact, happened. (The SEC did approve 11 spot bitcoin ETFs a day later, with Gensler saying in a statement that “bitcoin is primarily a speculative, volatile asset that’s also used for illicit activity.”)
The incident has raised a number of questions about the SEC’s security practices after officials at X said the financial regulator had not been using multi-factor authentication to secure its account. In the letter, Wyden, who chairs the Senate’s finance committee, said it would be "inexcusable" for the agency to not use additional layers of security to lock down its social media accounts.
“Given the obvious potential for market manipulation, if X’s statement is correct, the SEC’s social media accounts should have been secured using industry best practices,” Wyden wrote. “Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity. The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure”
Wyden isn’t the only lawmaker who has pushed the SEC for more details about the hack. Senators J. D. Vance and Thom Tillis sent a letter of their own, addressed to Gensler, immediately following the incident. They asked for a briefing about the agency’s security policies and investigation into the hack by January 23.
The SEC didn’t immediately respond to a request for comment. The agency said in an earlier statement that it was working with the FBI and the Inspector General to investigate the matter.
This article originally appeared on Engadget at https://www.engadget.com/senators-want-to-know-why-the-secs-x-account-wasnt-secured-with-mfa-203614701.html?src=rss
The official X account belonging to the Securities and Exchange Commission was briefly “compromised,” the regulator said, after an apparently rogue post on X temporarily juiced bitcoin prices.
On Tuesday, the SEC’s official X account tweeted that bitcoin ETFs had been approved “for listing on all registered national securities exchanges.” The tweet included an official-looking graphic featuring a quote from SEC Chair Gary Gensler. However, Gensler himself quickly clarified from his X account that the post from @SECGov was the result of a "compromised” account.
“The @SECGov twitter account was compromised, and an unauthorized tweet was posted,” Gensler wrote. “The SEC has not approved the listing and trading of spot bitcoin exchange-traded products.”
Screenshot via X
The confusion comes as the SEC is, in fact, considering whether to approve spot bitcoin ETFs, investment funds that hold the cryptocurrency. The regulator is expected to make a decision Wednesday in a process that has been closely watched by crypto investors.
Naturally, the now-deleted tweet from the SEC’s official (and gray check-verified) account on X prompted a momentary surge in bitcoin prices, followed by a steep decline. The post and subsequent clarification from Gensler “wiped out over $50 million of leveraged derivatives trading positions within an hour,” according to and analysis from CoinDesk.
In an update Wednesday, an SEC spokesperson said the rogue tweet had not been "drafted or created by the SEC." The spokesperson added that "the first public indication" of a change would not come via the agency's X account. "Consistent with existing practice, any Commission action on exchange rule filings would be posted on the relevant section of the SEC’s website at https://www.sec.gov/ and then in the Federal Register."
The SEC hasn't shared details about how its X account was “compromised.” In a statement, an SEC spokesperson told Engadget that it was investigating the matter, and working with the FBI and Inspector General. "The SEC has determined that there was unauthorized access to and activity on the @SECGov x.com account by an unknown party for a brief period of time shortly after 4 pm ET," the spokesperson said. "That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct."
X didn’t immediately respond to a request for comment, but the company shared the results of its "preliminary investigation" Tuesday evening.
"We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation," X write in a post from its safety account. "Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party. We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised."
We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number…
X's comments also raise a number of new questions about the takeover. As Bloombergpoints out, government-run social media accounts are supposed to use multi-factor authentication as an extra layer of security. If the regulator, which is currently investigating X over its security practices, had lax security settings itself, it would be a significant embarrassment to the agency.
But though X suggested its systems were not compromised, the company could still face scrutiny over whether it's doing enough to protect high-profile accounts. It's also not the first time high-profile government accounts have been hijacked on the platform. In 2020, hackers took over the accounts belonging to Barack Obama, Joe Biden, Musk, Bill Gates and a number of others in a coordinated crypto scam. A Florida teen and two others were later charged and the company, then known as Twitter, said the hacks were the result of a social engineering scheme.
Update January 9 2024, 6:50PM ET: This story has been updated with a statement from an SEC spokesperson about their investigation.
Update January 9 2024, 11:18PM ET: This story was updated to include comments from X about the SEC's account.
Update January 10 2024, 3:38PM ET: This story has been updated with additional comments from the SEC.
This article originally appeared on Engadget at https://www.engadget.com/the-secs-x-account-was-apparently-compromised-to-falsely-claim-bitcoin-etfs-were-approved-230034839.html?src=rss
AI may or may not take people's jobs in years to come, but in the meantime, there's one thing they cannot obtain: patents. Dr. Stephen Thaler has spent years trying to get patents for two inventions created by his AI "creativity machine" DABUS. Now, the United Kingdom's Supreme Court has rejected his appeal to approve these patents when listing DABUS as the inventor, Reuters reports.
The court's rationale stems from a provision in UK patent law that states, "an inventor must be a natural person." The ruling stipulated that the appeal was unconcerned with whether this should change in the future. "The judgment establishes that UK patent law is currently wholly unsuitable for protecting inventions generated autonomously by AI machines," Thaler's lawyers said in a statement.
Thaler first attempt to register the patents — for a food container and a flashing light — was in 2018, as owner of the machine that invented them. However, the UK's Intellectual Property Office said he must list an actual human being on the application, and when he refused, it withdrew his application. Thaler fought the decision in the High Court and then the Court of Appeal, with Lady Justice Elisabeth Laing stating, "Only a person can have rights. A machine cannot."
Thaler, an American, also submitted the two products to the United States Patent and Trademark Office, which rejected his application. Plus, he previously sued the US Copyright Office (USCO) for not awarding him the copyright for a piece of art DABUS created. The case reached the US District Court of Columbia, with Judge Beryl Howell's ruling explaining, "Human authorship is a bedrock requirement of copyright." Thaler has argued that this provision is unconstitutional, but the US Supreme Court declined to hear his case, ending any further chances to argue his stance. While the UK and US have rejected Thaler's petitions, he has succeeded in countries such as Australia and South Africa.
This article originally appeared on Engadget at https://www.engadget.com/uk-supreme-court-rules-ai-cant-be-a-patent-inventor-must-be-a-natural-person-131207359.html?src=rss
Following the revelation that our mobile push notification records can be handed over to law enforcements, Apple put the blame on the Department of Justice (DOJ) for preventing tech companies from revealing such process. At the same time, the company updated its Legal Process Guidelines document to state that "a subpoena or greater legal process" was required to obtain the relevant records. However, Reuters spotted that a week later, Apple quietly tweaked this particular line to match Google's stricter policy on this matter:
"The Apple ID associated with a registered APNs token and associated records may be obtained with an order under 18 U.S.C. §2703(d) or a search warrant."
In other words, law enforcement will now need a judge's consent in order to obtain push notification data from Apple — as is the case with Google all this time, according to a statement provided to Reuters. Engadget reached out to Apple, but it refused to comment on the updated guidelines.
The "push notification spying" concerns were originally brought to light by Oregon Senator Ron Wyden who, in an open letter to the DOJ, claimed that foreign governments have been demanding Google and Apple to provide push notification records. Given how push notifications go through these companies' servers, the senator is worried that "Apple and Google are in a unique position to facilitate government surveillance of how users are using particular apps."
Wyden then addressed the elephant in the room, by arguing that these two tech giants "should be permitted to be transparent about the legal demands they receive, particularly from foreign governments." Apple's response regarding the DOJ's suppression appears to align with the senator's claims, but it's unclear whether the department will take action on both tech companies' stepped-up transparency on push notification surveillance.
This article originally appeared on Engadget at https://www.engadget.com/apple-now-needs-a-judges-order-to-hand-over-push-notification-records-052710429.html?src=rss
Following a two-year investigation by the National Highway Traffic Safety Administration (NHTSA), Tesla will recall over 2 million vehicles to address Autopilot safety concerns, according to new NHTSA documents. Fixes will be issued to owners for free via over-the-air (OTA) updates to add features that ensure drivers pay attention while using Tesla's controversial driver assistance system. It affects all current Tesla EVs built since Autopilot launched in 2015, including the Model 3, Model Y, Model S and Model X.
"The remedy will incorporate additional controls and alerts to those already existing on affected vehicles to further encourage the driver to adhere to their continuous driving responsibility whenever Autosteer is engaged," the NHTSA stated in a document. It noted that while Autopilot (specifically its Autosteer component) does have several controls to ensure drivers pay attention, they're not always enough.
"In certain circumstances when Autosteer is engaged, the prominence and scope of the feature’s controls may not be sufficient to prevent driver misuse of the SAE Level 2 advanced driver-assistance feature," the document states. That in turn may lead to "an increased risk of a collision."
Tesla was ordered to address the driver monitoring system. "The remedy will incorporate additional controls and alerts to those already existing on affected vehicles to further encourage the driver to adhere to their continuous driving responsibility whenever Autosteer is engaged, which includes keeping their hands on the steering wheel and paying attention to the roadway," it states. Those will include more prominent visual alerts, making it easier to turn Autosteer on and off, and eventual suspension from Autosteer if the driver fails to behave responsibly on an ongoing basis.
In a letter to the NHTSA, Tesla acknowledged the order and said it would issue the required fix. "Tesla will release an over-the-air (OTA) software update, free of charge. Owner notification letters are expected to be mailed February 10, 2023." The order affects 2,031,220 vehicles, though models that went into production after December 7th will have already incorporated the update.
The NHTSA said last August that it was opening an investigation into Autopilot following 11 crashes with parked first responder vehicles since 2018 that resulted in 17 injuries and one death. In a letter to Tesla sent shortly afterward, the regulator requested detailed documentation on how the driver assistance system works. Specifically, it wanted to know how it ensures that human drivers will keep their eyes on the road while Autopilot is engaged and whether there are limits on where it can be used.
This article originally appeared on Engadget at https://www.engadget.com/tesla-recalls-2-million-cars-in-order-to-fix-autopilot-safety-controls-123308343.html?src=rss
A Senate Finance Committee inquiry revealed on Tuesday that police departments can get access to private medical information from pharmacies, no warrant needed. While HIPAA may protect some access to personally identifiable health data, it doesn't stop cops, according to a letter from Senator Ron Wyden, Representative Pramila Jayapal and Representative Sara Jacobs to the Department of Health and Human Services. None of the major US pharmacies are doing anything about it either, the members of Congress say.
"All of the pharmacies surveyed stated that they do not require a warrant prior to sharing pharmacy records with law enforcement agents, unless there is a state law that dictates otherwise," the letter said. "Those pharmacies will turn medical records over in response to a mere subpoena, which often do not have to be reviewed or signed by a judge prior to being issued."
The committee reached out to Amazon, Cigna, CVS Health, The Kroger Company, Optum Rx, Rite Aid Corporation, Walgreens Boots Alliance and Walmart about their practices for sharing medical data with police. While Amazon, Cigna, Optum, Walmart and Walgreen said they have law enforcement requests reviewed by legal professionals before complying, CVS Health, The Kroger Company and Rite Aid Corporation said they ask in-store staff to process the request immediately.
Engadget asked the pharmacies mentioned in the letter for comment about the claims. CVS said its pharmacy staff are trained to handle these inquiries and its following all applicable laws around the issue. Walgreens said it has a process in place to assess law enforcement requests compliant with those laws, too, and Amazon said that although law enforcement requests are rare, it does notify patients and comply with court orders when applicable. The others either haven't responded or refuse to comment.
The pharmacies mostly blamed the current lack of legislative protections for patient data for their willingness to comply with cop requests. Most of them told the committee that current HIPAA law and other policies let them disclose medical records in response to certain legal requests. That's why the Senate Finance Committee is targeting HHS to strengthen these protections, especially since the 2023 Dobbs decision let states criminalize certain reproductive health decisions.
Under current HIPAA law, patients have the right to know who is accessing their health information. But individuals have to request the medical record disclosure data, instead of health care professionals being required to share it proactively. "Consequently, few people ever request such information, even though many would obviously be concerned to learn about disclosures of their private medical records to law enforcement agencies," the letter states. The letter also urges pharmacies to change their policies to require a warrant, and publish transparency reports about how data is shared.
This article originally appeared on Engadget at https://www.engadget.com/police-are-using-pharmacies-to-secretly-access-medical-information-about-members-of-the-public-182009044.html?src=rss
Following a marathon 72-hour debate, European Union legislators Friday have reached a historic deal on its expansive AI Act safety development bill, the broadest-ranging and far-reaching of its kind to date, reports The Washington Post. Details of the deal itself were not immediately available.
"This legislation will represent a standard, a model, for many other jurisdictions out there," Dragoș Tudorache, a Romanian lawmaker co-leading the AI Act negotiation, told The Washington Post, "which means that we have to have an extra duty of care when we draft it because it is going to be an influence for many others."
The proposed regulations would dictate the ways in which future machine learning models could be developed and distributed within the trade bloc, impacting their use in applications ranging from education to employment to healthcare. AI development would be split between four categories depending on how much societal risk each potentially poses — minimal, limited, high, and banned.
Banned uses would include anything that circumvents the user's will, targets protected social groups or provides real-time biometric tracking (like facial recognition). High risk uses include anything "intended to be used as a safety component of a product,” or which are to be used in defined applications like critical infrastructure, education, legal/judicial matters and employee hiring. Chatbots like ChatGPT, Bard and Bing would fall under the "limited risk" metrics.
“The European Commission once again has stepped out in a bold fashion to address emerging technology, just like they had done with data privacy through the GDPR,” Dr. Brandie Nonnecke, Director of the CITRIS Policy Lab at UC Berkeley, told Engadget in 2021. “The proposed regulation is quite interesting in that it is attacking the problem from a risk-based approach,” similar what's been suggested in Canada’s proposed AI regulatory framework.
Ongoing negotiations over the proposed rules had been disrupted in recent weeks by France, Germany and Italy. They were stonewalling talks over the rules guiding how EU member nations could develop Foundational Models, generalized AIs from which more specialized applications can be fine-tuned. OpenAI's GPT-4 is one such foundational model, as ChatGPT, GPTs and other third-party applications are all trained from its base functionality. The trio of countries worried that stringent EU regulations on generative AI models could hamper member nations' efforts to competitively develop them.
"Artificial intelligence should not be an end in itself, but a tool that has to serve people with the ultimate aim of increasing human well-being," the European Commission wrote in its draft AI regulations. "Rules for artificial intelligence available in the Union market or otherwise affecting Union citizens should thus put people at the centre (be human-centric), so that they can trust that the technology is used in a way that is safe and compliant with the law, including the respect of fundamental rights."
"At the same time, such rules for artificial intelligence should be balanced, proportionate and not unnecessarily constrain or hinder technological development," it continued. "This is of particular importance because, although artificial intelligence is already present in many aspects of people’s daily lives, it is not possible to anticipate all possible uses or applications thereof that may happen in the future."
More recently, the EC has begun collaborating with industry members on a voluntary basis to craft internal rules that would allow companies and regulators to operate under the same agreed-upon ground rules. "[Google CEO Sundar Pichai] and I agreed that we cannot afford to wait until AI regulation actually becomes applicable, and to work together with all AI developers to already develop an AI pact on a voluntary basis ahead of the legal deadline," European Commission (EC) industry chief Thierry Breton said in a May statement. The EC has entered into similar discussions with US-based corporations as well.
Developing...
This article originally appeared on Engadget at https://www.engadget.com/the-eu-has-reached-a-historic-regulatory-agreement-over-ai-development-232157689.html?src=rss
US Senator Ron Wyden wants the public to know about the details surrounding the long-running Hemisphere phone surveillance program. Wyden has written US Attorney General Merrick Garland a letter (PDF), asking him to release additional information about the project that apparently gives law enforcement agencies access to trillions of domestic phone records. In addition, he said that federal, state, local and Tribal law enforcement agencies have the ability to request "often-warrantless searches" from the project's phone records that AT&T has been collecting since 1987.
The Hemisphere project first came to light in 2013 when The New York Times reported that the White House Office of National Drug Control Policy (ONDCP) was paying AT&T to mine and keep records of its customers' phone calls. Four billion new records are getting added to its database every day, and a federal or state law enforcement agency can request a query with a subpoena that they can issue themselves. Any law enforcement officer can send in a request to a single AT&T analyst based in Atlanta, Georgia, Wyden's letter says, even if they're seeking information that's not related to any drug case. And apparently, they can use Hemisphere not just to identify a specific number, but to identify the target's alternate numbers, to obtain location data and to look up the phone records of everyone who's been in communication with the target.
The project has been defunded and refunded by the government several times over the past decade and was even, at one point, receiving federal funding under the name "Data Analytical Services (DAS)." Usually, projects funded by federal agencies would be subject to a mandatory Privacy Impact Assessment conducted by the Department of Justice, which means their records would be made public.
However, Hemisphere's funding passes through a middleman, so it's not required to go through mandatory assessment. To be specific, ONDCP funds the program through the Houston High Intensity Drug Trafficking Area, which is a regional funding organization that distributes federal anti-drug law grants and is governed by a board made up of federal, state and local law enforcement officials. The DOJ had provided Wyden's office with "dozens of pages of material" related to the project in 2019, but they had been labeled "Law Enforcement Sensitive" and cannot be released to the public.
"I have serious concerns about the legality of this surveillance program, and the materials provided by the DOJ contain troubling information that would justifiably outrage many Americans and other members of Congress," Wyden wrote in his letter. "While I have long defended the government’s need to protect classified sources and methods, this surveillance program is not classified and its existence has already been acknowledged by the DOJ in federal court. The public interest in an informed debate about government surveillance far outweighs the need to keep this information secret."
This article originally appeared on Engadget at https://www.engadget.com/us-senator-calls-for-the-public-release-of-att-hemisphere-surveillance-records-083627787.html?src=rss
The Senate Judiciary Committee will hold a hearing on online child sexual exploitation on December 6 and the CEOs of major tech companies are set to testify. The committee expectsMeta CEO Mark Zuckerberg and his counterpart at TikTok, Shou Zi Chew, to testify voluntarily. It also wants to hear from the CEOs of X (formerly Twitter), Discord and Snap, and it has issued subpoenas to them.
"Big Tech’s failure to police itself at the expense of our kids cannot go unanswered," committee chair Sen. Dick Durbin (D-IL) and ranking member Sen. Lindsey Graham (R-SC) said in a joint statement, as Reuters reports. "I’m hauling in Big Tech CEOs before the Senate Judiciary Committee to testify on their failure to protect kids online," Durbin wrote on X.
JUST ANNOUNCED: Senate Judiciary Committee will press Big Tech CEOs on their failures to protect kids at hearing on Dec 6.
Subpoenas issued to CEOs of Discord, Snap, & X. Committee remains in discussion w/ Meta, TikTok—expects their CEOs will agree to testify voluntarily.
According to the committee, X and Discord refused to accept service of the subpoenas on their CEO's behalf, "requiring the committee to enlist the assistance of the US Marshals Service" to serve them personally. "We have been working in good faith to participate in the Judiciary committee’s hearing on child protection online as safety is our top priority at X," Wifredo Fernandez, head of US and Canada government affairs at X, told Engadget in a statement. "Today we are communicating our updated availability to participate in a hearing on this important issue."
“Keeping our users safe, especially young people, is central to everything we do at Discord," a Discord spokesperson told Engadget. "We have been actively engaging with the Committee on how we can best contribute to this important industry discussion. We welcome the opportunity to work together as an industry and with the Committee."
The issue of tech platforms allegedly facilitating harms against kids has become an increasingly pressing issue. Earlier this month, former Meta executive Arturo Béjar testified that Zuckerberg failed to respond to his email detailing concerns about harms facing children on the company's platforms. Senators then demanded documents from the company's CEO "related to senior executives’ knowledge of the mental and physical health harms associated with its platforms, including Facebook and Instagram."
This article originally appeared on Engadget at https://www.engadget.com/tech-ceos-are-set-to-testify-in-a-senate-online-child-sexual-exploitation-hearing-in-december-180206072.html?src=rss
