Tuesday Newsday Dec 5 - Dec 11: LogoFAIL Firmware Attacks, ICANN Searches Enabled, & The Worlds First AI Regulation
We may be inching closer and closer to the new year, but things at the Internet kitchen aren't slowing down any time soon. This week we're looking at a variety of breaches, a controversial decision by ICANN, and the first in what may be a slew of AI-targeted regulation. Let's get going!
The vulnerability, dubbed "LogoFAIL" allows malicious actors to bypass multiple security endpoints during the bootloading process, and execute virtually any command they could possibly desire. Researchers at Binarly were able to exploit critical vulnerabilities in the UEFI bootloading process when the manufacturer's logo was being displayed, hence the name of the exploit.
Conversely, smartphones and other devices that rely on alternative boot mechanisms aren’t affected by this vulnerability.
ICANN stands for the Internet Corporation for Assigned Names and Numbers and they are the non-profit entity that regulates the global domain name system.
Recently, they launched a Registration Data Request Service (RDRS), which is a centralized point to request data from participating registrars. ICANN made information redaction policy changes in 2018 to be compliant with GDPR, so the existence of RDRS could be seen as a way to get around regulations.
Registrars aren't forced to be participants, nor does the RDRS guarantee access to the requested data, the existence of the very platform itself is dubious to put it lightly. It's yet to be seen how many registrars will willingly participate in the face of potential public backlash.
The "AI Act" is likely to be the world's first comprehensive set of rules and regulations to govern the development of AI, and will presumably act as the benchmark for similar laws elsewhere in the world.
The legislation mandates transparency in the development of AI-powered applications, as well as several required benchmarks, risk assessments, and a consumer complaint platform. The legislation would also ban the use of AI for scraping facial images from CCTV and the use of AI systems to "manipulate human behavior" or "exploit the vulnerabilities of people."
TL;DR
- Major Vulnerabilities in UEFI hardware, stay tuned for hotfixes
- ICANN releases its controversial WHOIS lookup service
- The EU is trying to reel in generative AI
Whether it's hackers demanding human-animal hybrids, North Korean money laundering, or vulnerable bootloaders, the internet can be a really dangerous place. In a world where your data is a precious resource, why take any chances? Keep yourself safe online with a proactive and comprehensive privacy strategy. It's never too late to keep yourself and your data safe online.