Xi whiz: Versa Networks criticized for swerving the blame.

The post China Cyberwar Coming? Versa’s Vice: Volt Typhoon’s Target appeared first on Security Boulevard.

For You Plague: U.S. Justice Dept. and Federal Trade Commission file lawsuit, alleging TikTok broke the COPPA law, plus a previous injunction.

The post TikTok Abuses Kids, say DoJ and FTC appeared first on Security Boulevard.

A cybercrime group called Vigorish Viper runs a complex suite of technologies that support the sprawling operations of a Chinese crime syndicate that has its reach into illegal online sports gambling and Europe's most popular soccer teams.

The post Complex Technology Stack Supports Sprawling Chinese Crime Operation appeared first on Security Boulevard.

Existential risk from AI

Some believe an existential risk accompanies the development or emergence of artificial general intelligence (AGI). Quantifying the probability of this risk is a hard problem, to say nothing of calculating the probabilities of the many non-existential risks that may merely delay civilization's progress.

AI systems as we have known them have been mostly application specific expert systems, programmed to parse inputs, apply some math, and return useful derivatives of the inputs. These systems are different than non-AI applications because they apply the inputs they receive, and the information they produce to future decisions. It's almost as if the machine were learning.

An example of a single purpose expert system is Spambayes. Spambayes is based on an idea of Paul Graham's. Its an open source project that applies supervised machine learning and Bayesian probabilities to calculate the likelihood that a given email is spam or not spam also known as ham. Spambayes parses emails, applies an algorithm to the contents of a given email and produces a probability that the message is spam or ham.

The user of the email account with Spambayes can read the messages and train the expert system by changing the classification of any given message from spam to ham or ham to spam. These human corrections cause the application to update the probabilities that given word combinations, spelling errors, typos, links, etc., occur in spammy or hammy messages.

Application specific expert systems are a form of artificial intelligence, but they are narrowly focused and not general purpose. They are good at one thing and don't have the flexibility to go from classifying spam messages to executing arbitrary tasks.

Artificial intelligence systems have been around for decades and there's been no realized existential risks, what makes artificial general intelligent systems so problematic?

AI pessimists believe AGI systems are dangerous because they will be smarter and faster than humans, and capable of mastering new skills. If these systems aren't "aligned" with human interests, they may pursue their own objectives at the expense of everything else. This could even happen by accident.

Hypothetically, let's say an AGI system is tasked with curing cancer. Because this system is capable of performing any "thinking" related task, it may dedicate cycles to figuring out how it can cure cancer more quickly. Perhaps it concludes it needs more general purpose computers on which to run its algorithm.

In its effort to add more compute, it catalogs and learns how to exploit all of the known remote code execution vulnerabilities and uses this knowledge to both exploit vulnerable systems, and to discover new exploits. Eventually it is capable of taking over all general purpose computers and tasking them with running its distributed cancer cure finding algorithm.

Unfortunately all general purpose computers including ones like the one on which you're likely reading this post, many safety-critical systems, emergency management and dispatch systems, logistics systems, smart televisions and phones all cease to perform their original programming in favor of finding the cure for cancer.

Billions of people die of dysentery and dehydration as water treatment systems cease performing their
primary functions. Industrial farming systems collapse and starvation spreads. Chaos reigns in major urban areas, as riots, looting, and fires rage until the fuel that drives them is left smoldering. The skies turn black over most cities worldwide.

Scenarios like this one are similar to the idea of the paperclip maximizer, which is a thought experiment proposed by Nick Bostrom wherein a powerful AI system is built to maximize the number of paperclips in the universe, which leads to the destruction of humanity who have to be eliminated because they may turn off the system and they are made of atoms that may be useful in the construction of paperclips.

Some people think this is ridiculous. They'll just unplug the damn computer, but remember, this is a computer that *thinks* thousands of times faster than you. It can anticipate 100s of 1000s of your next moves and ways to thwart them before you even think of one next move. And it's not just a computer, it's now all general purpose computers that it has appropriated. The system would anticipate that humans would try and shut it down and would think through all the ways it could prevent that action. Ironically, in its effort to find a cure for cancer in humans, the system becomes a cancer on general purpose computing.

Do I think any of this is possible? In short, no. I'm not an expert in artificial intelligence or machine learning. I've worked in tech for more than 30 years and played with computers for more than 40 now. During that time I've been a hobbyist programmer, a computer science student, a sysadmin, a database admin, a developer, and I've mostly worked in security incident response and detection engineering roles. I've worked with experts in ML and AI. I've worked on complex systems with massive scale.

I'm skeptical that humans will create AGI, let alone an AGI capable of taking over all the general purpose computing resources in the world as in my hypothetical scenario. Large complex software projects are extremely difficult and they are subject to the same entropy as everything else. Hard drives fail, capacitors blow out, electrical surges fry electrical components like network switches. Power goes out, generators fail or run out of fuel and entire data centers go offline. Failure is inevitable. Rust never sleeps.

Mystifying advances in AI will continue. These systems may radically change how we live and work, for better and worse, which is a long-winded way of saying the non-existential risks are greater than the existential risk. The benefits of these advances outweigh the risks. Large language models have already demonstrated that they can make an average programmer more efficient and I think we're in the very early innings with these technologies.

In the nearer term, it's more likely human suffering related to AGI comes from conflict over the technology's inputs rather than as a result of its outputs. Taiwan Semiconductor (TSMC) produces most of the chips that drive AI and potentially AGI systems. China recognizes the strategic importance of Taiwan (TSMC included) and is pushing for reunification. Given China's global economic power, geographic proximity, and cultural ties, reunification feels inevitable, but also unlikely to happen without tragic loss of life. Escalation of that conflict presents an existential risk in more immediate need of mitigation than dreams of AGI.

The post Paperclip Maximizers, Artificial Intelligence and Natural Stupidity appeared first on Security Boulevard.

Chinese fast-fashion-cum-junk retailer “is a data-theft business.”

The post Temu is Malware — It Sells Your Info, Accuses Ark. AG appeared first on Security Boulevard.

(URL to the UNODC report: UNODC: Casinos, Money Laundering, Underground Banking ... full report)

(URL to the USIP report: https://www.usip.org/node/160386 )

The reason I was looking into the report is that this 106 page report is about how Chinese organized crime has planted themselves in Casino complexes across Cambodia, Indonesia, Lao PDR, the Philippine, Thailand, and Viet Nam. The same modus operandi that we associate with the crypto investment scams that use the horrible name "pig butchering" to describe the financial grooming that leads to the complete financial devastation of so many Americans. In fact, I discovered the UN report, only by seeing it quoted in he report by the United States Institute of Peace, "Transnational Crime in Southeast Asia: A Growing Threat to Global Peace and Security" where it was mentioned in a footnote.

Examining Chinese Ministry of Public Security reports

The UNODC report shares statistics from a Ministry of Public Security of China note, without providing a URL, that "between January to November 2023, authorities in the country successfully resolved 391,000 cases related to telecommunications and network fraud, totaling the arrest of 79,000 suspects, including 263 'backbone members or paymasters' of cyberfraud groups" (in the countries mentioned above.) This included:

• interception of 2.75 BILLION fraud calls
• interception of 2.28 BILLION fraud messages
• the removal of 8.36 million fraud-related domain names
• and 328.8 billion yuan (US $46 billion) in funds related to fraud cases.

Since I am working on a project that we call "Twenty Targets for Takedown" that is attempting to shut own illicit websites by terminating their domain registrations and hosting arrangements, the number "8.36 million fraud-related domains" made me shudder.
I am fortunate to count among my network some of the leading experts in domain-name related fraud and abuse, the number seemed overwhelmingly high, and I asked my colleagues from CAUCE, the Coalition Against Unsolicited Commercial Email, for assistance in looking into it. One quick opinion was that this could include a definition of domain name that would be more akin to a hostname, similar to what we have on Blogspot. "garwarner.blogspot.com" is a hostname on the domain "blogspot.com" ... but some would call it a "fully qualified domain name" and consider it a separate FQDN than other xyz.blogspot.com or abc.blogspot.com "domains."

John Levine helped me solve the "did they really mean millions, or is this possibly a bad translation" by helping me find the Ministry of Public Security site where the article was coming from and share several updated versions of these statistics.

MPS Article: Significant success in combating telecom and internet fraud

18 Million Websites! 

The latest article we can find, dated 31MAY2024, quotes Li Guozhong ( 李国中 ) the Spokesman for China's Ministry of Pubic Security describing their successes over the past five years.  In 2021, they established a National Anti-Fraud Center which sent out 660 million notices and were able to help stop fraud against 18.44 million people. This most recent article, which is focused on fraud and doesn't mention gambling at all, says that they have "handled 18 million domain names and websites."  That's a machine translation of ( 处置涉案域名网址1800万个 ).  I can confirm the 18 million ... written as 1800 ten thousands - 1800万个.  Handled is perhaps better rendered "disposed of" 处置  (Chǔzhì).  Still unsure how to interpret 域名 ( Yùmíng - Domain name) 网址 (Wǎngzhǐ - website), but I think for now, I'm going to assume it means "URLs" or "FQDNs" as opposed to only registered domains 

The Anti-Fraud Center has intercepted 6.99 billion fraud calls and 6.84 billion text messages and intercepted 1.1 trillion yuan of funds. At current exchange rates, that would be around $151 Billion US Dollars!   

Just since July 2023, 49,000 cyber fraud suspects have been transferred to China from northern Myanmar. 82,000 criminal suspect have been arrested, including 426 key "financial backers" behind the fraud groups.  

Several maps help to demonstrate what's going on in Southeast Asia: 

(Source: Figure 1 from the afore-mentioned USIP report) 

Source: afore-mentioned UNODC report -- note the Myanmar/China border, which is where most of the Chinese rescues and raids have been conducted.

How Much Fraud? $64 Billion to $157 Billion per year!

The US Institute of Peace report estimates that there are as many as 500,000 scammers deployed in the region, earning potentially $64 Billion per year in fraud. The methodology they used for this calculation came from the UNODC report above. On p. 55 of that report, the UN said that they estimated each scammer was earning between $300 and 400 per day, and that they believed there were 80,000 to 100,000 scammers working six days per week in one unnamed Mekong country.  Using that estimate, they gave a "range" of $7.5 Billion to $12.5 billion in scam revenue for that country.  These numbers were calculated consistently with a Chinese MPS report about an initiative they called "Operation Chain Break" which estimated that scam compounds, including gambling and cyber scams, were generating $157 Billion per year. 

China's Ministry of Public Security is actively conducting military style raids to help recover these fraud suspects from northern Myanmar, where China shares a long border with the country, which remains deeply embroiled in a state of civil war. MPS is also working collectively with other Southeast Asian countries and says it has "destroyed 37 overseas fraud dens." 

China Launches Month of National Anti-Fraud Action

Today (24JUN2024) China launched a new month-long "National Anti-Fraud Action" with a nation-wide campaign that declares "Beware of new fraud methods and don't be a tool for telecom fraud."  The campaign uses what China calls a "Five-In" approach, meaning that Chinese citizens will see and spread anti-fraud messages in Communities, Rural Areas, Families, Schools, and Businesses.  Students will be provided materials to share with their families, Employees will be encouraged to share anti-fraud messages and materials with their families and communities, and Chinese Communist Party offices in rural areas and civic organizations will make sure the message is spread in those areas as well. The materials being prepared will be written separately to address the awareness needs of merchants, accounting personnel, minors, and the elderly, describing each fraud typology and helping to describe methods to safeguard from these typologies. A major objective will also be to help understand how to avoid becoming a "tool" or an "accomplice" of these fraud rings, who prey on the financially vulnerable to help them launder the proceeds of their crime.  The Ministry of Public Security will jointly publish the "Overseas Telecom Network Fraud Prevention Handbook with the Ministry of Foreign Affairs and the Ministry of Education to help improve prevention awareness especially for overseas students and diaspora Chinese communities. Major news media and new media platforms will continuously feature anti-fraud reports to strengthen and educate the public on fraud prevention and "continue to set off a new wave of anti-fraud among the whole people the whole society." 

Gee, doesn't that sound like REACT's Erin West and Operation Shamrock -- but with the full cooperation of the Government and Society? 

The announcement of the month of National Anti-Fraud Action concludes with some more recent statistics about the work of the National Anti-Fraud Center.  Just since 2023, today's report says that they have: 

• pushed out 420 million warning and dissuasion instructions
• met with 14.77 million people face-to-face to give warnings 
• made 310 million phone calls to warn vitims 
• sent 230 million dissuasion text messages
• intercepted 3.7 billion fraud calls 
• intercepted 2.96 billion fraud-related text messages
• blocked 11.619 million fraud-related domain names -- BLOCKED - this may mean "prevented access via Chinese Internet -- which may mean the sites are still available to victimize foreigners
• intercepted 452.9 billion yuan of funds ($62 Billion USD) 

What does this mean to those of us in the United States?  If China is doing an all-hands "Five-In" awareness campaign and deploying police for face-to-face dissuasion, the fraudsters may very realistically need to INCREASE their targeting of overseas victims to make up for the projected revenue hit this new effort may create. 

To quote Director Easterly at CISA: SHIELDS UP! 

The post Millions and Millions of Fraud Domains: China attacks Illegal Gambling and Telecom Fraud appeared first on Security Boulevard.

The rise in U.S.-politics-themed scams indicates that adversarial nation states understand the significance of election years.

The post Chinese Threats Aim for Government Sector  appeared first on Security Boulevard.

PAFACA SueTok: U.S. Courts “likely” to rule whether new law is constitutional—or even practical.

The post TikTok Ban — ByteDance Sues US to Kill Bill appeared first on Security Boulevard.

Russia and Ukraine topped a list of cybercrime-producing nations, followed by China and the United States, with African nation Nigeria rounding out the top five.

The post Nigeria, Romania, Russia, U.S. Among Top Cybercrime Nations appeared first on Security Boulevard.

The post Why Major American Companies Held a Joint Cyber Drill, and You Should Too appeared first on Security Boulevard.