Robin’s Newsletter #251

9 April 2023. Volume 6, Issue 15
Genesis Market seizure leads to 119 arrests. The UK on being a responsible cyber power. Security and privacy risks of AI chatbots.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

  • An FBI-led operation with over a dozen other international partners seized control of Genesis Market, one of the world’s largest cybercrime forums. The site offered criminals access to ‘bots’ with browser fingerprints to impersonate individuals and avoid triggering multi-factor authentication and other security protections.
  • Operation Cookie Monster, as it is called, resulted in coordinated law enforcement action in 15 different countries and led to 119 arrests, 208 searches and other interviews with persons of interest. The FBI gained access to Genesis Market’s user database, giving the username, password, email, messenger and account history for around 59,000 users of the site. This data also allowed for individuals to be identified and targeted for arrest.

Responsible cyber power

  • Responsible cyber power is the theme of a policy paper released by the UK’s National Cyber Force (NCF) this week.
  • The paper acknowledges the NCF “doctrine of cognitive effect” whereby the joint GCHQ and MOD team degrades the infrastructure and operating environment of targets to “weaken their ability to plan and conduct actives effectively.” Going after the opponent’s perception is believed to be more effective than destroying the infrastructure, which may be trivial to replace. 
  • NCF operations are, it says, accountable, precise and calibrated as core principles.

AI Chatbot security and privacy risk

  • Chatbot risks such as ‘jailbreaking’ by giving prompts to role-play as a different chatbot or disregard guardrails and potential for data poisoning on the training data sets are pretty well acknowledged. But, as AI large language models gain the ability to access the web, concern is shifting to the potential for malicious actors to inject prompts into the copy on websites
  • Meanwhile, data protection regulators in France, Germany, Ireland and Norway are all following an Italian investigation into Open AI’s data protection n practices closely. Italy’s Garante believes that ChatGPT-maker has four problems under GDPR: it can’t prevent those under 13s from using the platform; it can provide inaccurate information about people; people weren’t told their data was collected; and Open AI has ‘no legal basis’ for hoovering up large amounts of personal information from the Internet.

Interesting stats

300% increase in cyber insurance costs since July 2014, according to brokerage Howden, and referenced in the Economic Report of the President (PDF), ‘transmitted to Congress’ last month. The report (h/t @IelTop also includes a graph of the data:

Nominal cyber insurance prices over time (Source: Economic Report of the President; Data: Howden)

Other newsy bits / in brief 

Fundraising: Congratulations to former colleagues at Quantexa on their oversubscribed $129 million Series E fundraising round and $1.8 billion valuation. A spinout from KPMG Studio, the firm’s internal incubator, call Cranium has raised $7 million and launched out of stealth to ‘protect AI pipelines’.

And finally

  • Google Pay accidentally transferred some users between $10 to $1,000 by accident after it botched internal testing of a rewards programme. While it reversed the transactions in many cases, for those where the user had transferred or spent the money, Google said “the money is yours to keep,” adding that “no further action is necessary.”
Robin

  Robin's Newsletter - Volume 6

  Genesis Market Operation Cookie Monster Cybercrime National Cyber Force (NCF) Cyber warfare Cyber norms Artificial Intelligence (AI) Open AI ChatGPT Cyber Insurance DevOps Capita