'Be super careful with AI. It's potentially more dangerous than nukes'
Plus: 'Facebook is not a Law Enforcement issue!'
QuoTW This week will go down in IT history as the week Microsoft scrapped its long-running fixer-upper day of the week – Patch Tuesday. No longer will Tuesdays be about Redmond plugging the latest breaches in software and sorting out its security problems.
Now Tuesdays will be about… updates. Yes, indeed, by changing the name of the day to Update Tuesday, and including “non-security updates”, Microsoft reckons it’s going to get those security fixes in under the wire. Spokesperson Brandon LeBlanc said:
Rather than waiting for months and bundling together a bunch of improvements into a larger update as we did for the Windows 8.1 Update, customers can expect that we'll use our already existing monthly update process to deliver more frequent improvements along with the security updates normally provided as part of “Update Tuesday”.
Examples of some of these non-security updates are the Windows Store Refresh in May and the June update to OneDrive to improve your control of sync. Some of these improvements might be more visible or even new features, while others might be more 'behind-the-scenes' that improve things like the performance and reliability of your device.
The first of the newly branded Tuesdays will happen next week, when a few new feature bundles will be coming folks’ way, instead of the huge number of upgrades people were hoping for.
In Blighty, a hapless hacker tried a devious phishing scam out on the wrong guy when he attempted to ensnare a Reg reader in his web of deceit. A rather sophisticated piece of social engineering was sent to the wife of reader Paul in the form of a request for payment to a hotel in Spain that had actually been booked by the family.
The holiday was sorted out on Booking.com and the email followed afterwards, claiming the payment hadn’t been processed properly so a wire transfer to a Polish bank account was required instead. What made the scam so slick was that it contained the name of the actual hotel the family had booked, along with the dates of their stay, the reader’s home address and the correct amount for the stay. Paul told El Reg:
The email looked incredibly authentic and given the personal details contained, looked very plausible.
Security experts said that the breach may have happened on the Spanish hotel’s end, although it’s just a theory. The details could also have been slurped by Trojan harvesting from Paul’s own machine or, less likely, a breach on Booking.com. Chris Boyd, a malware intelligence analyst at anti-virus firm Malwarebytes, said:
I don't think there's been a breach at Booking.com because the net would be ablaze with comments and targeted phishing emails which means it is possible they're phoning up hotels and - perhaps - working their way through guest lists then sending their highly targeted missives to unfortunate individuals.
The victim in this case can probably rest easy - I don't think they were singled out for any other reason than they happened to be on the hotel books the scammers picked on the day. Having said that, they should run some AV scans if they haven't already and keep a close eye on any unusual attempts at outgoing payments just in case there is any malware involvement.
In other cybersecurity news, Russian hackers have reportedly collected the largest ever trove of stolen website passwords - up to 1.2 billion - by slurping the personal info from poorly secured databases.
Hold Security owner Alex Holden said that a network of computers were hijacked by malware and controlled by the gang, which identified more than 420,000 sites vulnerable to SQL injection attacks. The so-called CyberVors than attacked the vulnerable servers and got 4.5 billion username and password combos, which boiled down to 1.2 billion after repeats were discounted.
Holden told The New York Times he wouldn’t name the sites because of nondisclosure agreements, but said:
Hackers did not just target US companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites. And most of these sites are still vulnerable.
He added that the data hadn’t been sold off by the crims, but was being used to spam social networks.
Without the names of the sites, it has been difficult to fully verify Holden’s claims and the fact that his firm is charging website owners $120 a year to find out if their systems have been compromised has led some to wonder if his story is legit. Veteran security researcher Graham Cluley said:
There was an alarming lack of information supplied by Hold Security in its official statement about the discovery and something just didn’t “feel right”.
Although he added that just because Hold Security was using the breach as a plug for its services didn’t necessarily mean the breach didn’t exist:
Even if you find Hold Security’s handling of the announcement either tasteless, cack-handed or conceived by somebody with no marketing common-sense, it doesn’t mean that its findings are not for real.
He also pointed out that respected security blogger Brian Krebs had stuck up for Holden on his own blog:
Alex isn’t keen on disclosing his methods, but I have seen his research and data firsthand and can say it’s definitely for real. Without spilling his secrets or methods, it is clear that he has a first-hand view on the day-to-day activities of some very active organised cybercrime networks and actors.
Meanwhile, police have reminded folks that as devastating as Facebook outages are, they are not a matter for the authorities to deal with. When the social network’s servers stumbled briefly this week, Los Angeles Sheriff Department took to Twitter to let frightened users cut off from their news feeds know that Facebook’s servers were not a matter for the long arm of the law:
#Facebook is not a Law Enforcement issue, please don't call us about it being down, we don't know when FB will be back up!— Sgt. Brink (@LASDBrink) August 1, 2014
The network said that it was only down briefly:
Earlier this morning, some people had trouble accessing Facebook for a short time. We quickly investigated and are currently restoring service for everyone. We're sorry for the inconvenience.
And finally, billionaire entrepreneur Elon Musk has warned the human race that artificial intelligence, which he invests in, is a threat to us all. According to books that he reads, Musk reckons that AI is up there with nuclear war in terms of apocalyptic potential and he’s sinking his money into it to make sure he has some control over its capacity to go rogue, start building Terminators and destroy us all.
The SpaceX and Tesla founder tweeted:
Worth reading Superintelligence by Bostrom. We need to be super careful with AI. Potentially more dangerous than nukes. ®