迪士尼乐园现对游客使用面部识别技术。
内容总结:
华盛顿晚宴惊魂:枪手试图混入白宫记者晚宴,特朗普在席间
上周六,华盛顿特区发生一起安全事件。一名枪手试图闯入白宫记者协会晚宴现场,当时美国总统特朗普、副总统万斯及其他政府官员正在出席。媒体及特朗普本人迅速指认,嫌疑人系31岁的工程师兼计算机科学家科尔·托马斯·艾伦。这名加州居民在现场被逮捕,并于本周一在哥伦比亚特区联邦地方法院出庭,面临三项联邦指控:企图刺杀总统、跨州运输枪支以及在暴力犯罪中开枪。
AI安全新举措:FIDO联盟联手谷歌、万事达卡为AI代理交易设“护栏”
本周,认证标准机构FIDO联盟宣布,将与谷歌和万事达卡共同成立工作组,为验证和保护由AI代理发起的交易制定技术规范。与此同时,鉴于人工智能工作的普及及其部分领域的敏感性增加,OpenAI为其ChatGPT和Codex账户推出了“高级”安全风险模式,以应对日益加剧的攻击风险。
欧洲名人手机遭黑:9万张私密截图外泄,商业间谍软件风险警示
本周一项新研究揭示了某欧洲名人手机被入侵事件:9万张从手机中导出的截图被泄露至网络。这凸显了商业间谍软件的双重威胁:既严重侵犯个人隐私,又可能导致大规模数据泄露和滥用。此外,《连线》杂志还对阿联酋因分享截图及其他网络内容而引发的逮捕事件进行了报道。
每周安全速览:更多值得关注的事件
此外,还有更多安全与隐私资讯。我们每周汇总那些未能深度报道的新闻,点击标题即可阅读全文。祝您平安。
迪士尼乐园启用面部识别:入园可“选择”刷脸
迪士尼公司本周宣布,在加州迪士尼乐园及迪士尼加州冒险乐园,游客可选择通过配备面部识别技术的通道入园。公司称此举“完全自愿”,但同时也指出,即使走普通通道,“你的图像仍可能被拍摄”。与许多同类技术一样,迪士尼的面部识别通过将人脸图像转换为数值进行匹配。公司表示,这些数值将在30天后删除,“除非因法律或防欺诈目的需要保留数据”。目前,面部识别系统在美国及全球已广泛使用,从执法部门到机场、体育场馆,甚至麦迪逊广场花园,正渗透进日常生活。
NSA暗中测试Anthropic“神话”AI工具:专猎高危漏洞
Anthropic公司推出的“神话预览版”AI模型,被描述为挖掘软件高危漏洞的“利器”,其使用范围至今被严格限制,以防落入恶意黑客之手。因此,美国国家安全局(NSA)参与测试似乎并不令人意外。据彭博社和Axios报道,NSA是首批获得“神话”访问权限的机构和公司之一(目前仅限40家组织)。NSA已利用该工具搜索微软软件中的漏洞,其速度和有效性令人印象深刻。尽管美国国防部此前宣布禁止使用Anthropic工具,并计划在6个月内过渡,但NSA的测试似乎在禁令生效前已在进行。Anthropic已提起诉讼阻止该禁令。由于NSA隶属于国防部,目前尚不清楚它是赶在禁令窗口期使用“神话”,还是该工具强大到足以促使NSA重新考虑或做出例外处理。
19岁“散蜘蛛”勒索组织新成员在芬兰被捕
臭名昭著的“散蜘蛛”勒索软件组织,曾对美高梅、凯撒娱乐等企业发起大规模攻击,并造成巨大损失。该组织成员多为非常年轻、讲英语的黑客,且来自与美国执法部门合作的国家,因此往往难逃法网。最新被指控的成员是19岁的彼得·斯托克斯,他在芬兰一机场被捕,当时正欲登机前往日本。据《芝加哥论坛报》报道,一份已封存的刑事起诉书描述了斯托克斯涉嫌参与针对“散蜘蛛”四家受害公司的攻击。他被指控帮助从这些未具名公司(包括一家在线通讯平台和一家奢侈零售商)窃取数百万美元。起诉书还称他过着“云端上的生活”,从迪拜到泰国再到纽约,一张照片中他戴着镶钻项链,上写“入侵地球”。
医疗保险数据库漏洞:全美医护社保号暴露数周
据《华盛顿邮报》报道,一个开放互联网上可访问的医疗保险数据库,意外泄露了全美医护人员的社保号及其他个人信息。该数据库与美国联邦医疗保险和医疗补助服务中心(CMS)的一个在线目录相连,用于让参保人查询哪些保险计划被医疗服务提供者接受。报道称,这些敏感数据在网上暴露了“至少数周”。该目录是特朗普政府“创建全国医疗服务提供者数据库”努力的一部分,由CMS代理主管、同时兼任美国DOGE Service负责人的艾米·格里森监管。
中文翻译:
一名持枪者上周试图闯入在华盛顿特区举行的白宫记者协会晚宴,当时美国总统唐纳德·特朗普、副总统JD·万斯及其他政府官员正在现场。媒体报道及特朗普本人迅速指认,这名疑似枪手为31岁的工程师兼计算机科学家科尔·托马斯·艾伦。这名加州居民于周六在现场被捕,周一在哥伦比亚特区美国地区法院出庭,面临三项联邦指控:企图刺杀总统、跨州运输枪支以及在暴力犯罪过程中开枪。
被称为FIDO联盟的认证标准机构本周与谷歌及万事达卡共同宣布成立工作组,旨在为人工智能代理发起的交易制定验证与保护的技术规范。与此同时,鉴于某些涉及人工智能的工作日益普及且敏感性增加,OpenAI为面临更高攻击风险的ChatGPT及Codex账户推出了“高级”安全风险模式。
本周的新研究揭示了一起事件:从一位欧洲名人手机中提取的9万张屏幕截图被曝光于网络——这凸显了商业间谍软件既侵犯个人隐私,又可能引发大规模数据泄露及滥用的风险。《连线》杂志还关注了阿联酋因分享屏幕截图及其他网络内容而引发的逮捕事件。
此外还有更多消息。每周,我们都会汇总那些未深入报道的网络安全与隐私新闻。点击标题阅读全文。各位保重。
迪士尼乐园推出人脸识别
“地球上最快乐的地方”变得有些令人不安了。华特迪士尼公司本周宣布,前往其迪士尼乐园及迪士尼加州冒险乐园的游客,将“选择”通过配备人脸识别技术的通道进入园区。尽管该公司表示接受人脸识别“完全出于自愿”,但指出若游客通过未安装人脸识别系统的通道入园,“仍可能会被拍摄影像”。与许多同类技术一样,迪士尼的人脸识别通过将人脸图像转换为数值来运作,这些数值可用于匹配其他图像中的人脸。公司表示,这些数值将在30天后删除,“除非出于法律或反欺诈目的需保留数据”。
人脸识别系统在美国及全球广泛应用。执法机构频繁使用该技术,但它也已渗透至日常生活的方方面面,从机场到美国职业棒球大联盟及国家橄榄球联盟的体育场,再到麦迪逊广场花园。
美国国家安全局正测试Anthropic的Mythos人工智能工具以发现可被利用的漏洞
Anthropic的Mythos Preview人工智能模型被描述为在软件中挖掘可被黑客利用的漏洞方面极为高效,以至于其使用至今受到严格限制,以防落入恶意黑客之手。因此,如果美国国家安全局尚未试用它,那才更令人惊讶。
彭博新闻社和Axios本周报道称,国家安全局是获得Mythos早期访问权限的机构及公司之一。据Axios称,目前仅有40家组织获准使用该工具。根据匿名向彭博社透露的消息人士,该机构已利用此工具在微软的软件中寻找漏洞——这理所当然,毕竟全球大多数个人电脑仍运行微软系统——并对其发现可利用漏洞的速度与有效性印象深刻。毕竟,该机构的职责包括协助美国政府发现并修补其所用软件中的安全漏洞,有时也会在自身行动中利用这些漏洞。
尽管美国国防部已宣布禁止使用Anthropic(国防部长皮特·赫格赛斯声称该公司构成供应链风险),但国家安全局似乎仍在测试或采用Anthropic的人工智能工具。然而,赫格赛斯在2月表示,国防部将在六个月内逐步淘汰Anthropic的工具,而Anthropic已提起诉讼以阻止禁令实施。鉴于国家安全局是国防部的一部分,目前尚不清楚该机构是否只是利用禁令生效前的窗口期使用Mythos,抑或该工具的强大足以说服国家安全局重新考虑禁令——或做出例外。
19岁涉嫌“散落蜘蛛”勒索软件团伙成员被捕
被称为“散落蜘蛛”的勒索软件团伙制造了近期一些破坏性最大的以敲诈为目标的黑客攻击事件,包括入侵米高梅度假村、凯撒娱乐以及玛莎百货和哈罗德百货等零售商。该团伙在勒索软件组织中还因其成员构成而与众不同:成员通常非常年轻,为英语母语的黑客,居住在愿意与美国执法机构合作的国家——因此,他们往往会被捕。
最新被确认并起诉的该团伙疑似成员是19岁的彼得·斯托克斯,他在芬兰一家机场被捕,当时正打算登上飞往日本的航班。据《芝加哥论坛报》报道,一份刑事起诉书描述了斯托克斯涉嫌参与针对四家“散落蜘蛛”受害公司的攻击行为,该起诉书此后已被封存。据报道,斯托克斯被指控帮助从未被指名的受害公司(包括一家在线通讯平台和一家奢侈品零售商)窃取数百万美元。起诉书称,他还过着奢华生活,从迪拜到泰国再到纽约,一张照片中他戴着一条镶钻项链,上面刻着“黑掉全球”。
医疗保险数据库泄露医疗提供者社保号码
据《华盛顿邮报》报道,一个在开放互联网上可访问的医疗保险数据库不慎泄露了全美医疗提供者的社会安全号码及其他个人信息。该数据库与医疗保险和医疗补助服务中心的在线名录相关联,该名录允许医疗保险患者查询医疗提供者接受哪些保险计划。据《华盛顿邮报》报道,泄露的敏感数据在网上存在“至少数周”。该名录的推出是特朗普政府努力“创建全国医疗提供者数据库”的一部分,由美国DOGE服务署代理负责人、同时担任医疗保险和医疗补助服务中心官员的艾米·格里森监管。
英文来源:
A gunman attempted to enter the White House Correspondents’ Dinner in Washington, DC, last weekend, while President Donald Trump, Vice President JD Vance, and other administration officials were in attendance. Media reports and Trump himself quickly identified the suspected shooter as 31-year-old engineer and computer scientist Cole Tomas Allen. The California resident was arrested at the scene on Saturday and appeared Monday in the US District Court for the District of Columbia to face three federal charges: attempting to assassinate the president, transportation of a firearm in interstate commerce, and discharge of a firearm during a crime of violence.
The authentication standards body known as the FIDO Alliance announced working groups this week along with Google and Mastercard to develop technical guardrails for validating and protecting transactions initiated by an AI agent. Meanwhile, given the proliferation and increasing sensitivity of some work using AI, OpenAI rolled out an “advanced” security risk mode for ChatGPT and Codex accounts facing heightened risk of attack.
New research this week shed light on an incident in which 90,000 screenshots pulled from a European celebrity's phone were exposed online—underscoring the risks of commercially available spyware both as an invasion of personal privacy and a threat for widespread data breaches and abuse. And WIRED looked at arrests in the United Arab Emirates resulting from people sharing screenshots and other online content.
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Disneyland Rolls Out Face Recognition
The Happiest Place on Earth just got a bit creepier. The Walt Disney Company announced this week that visitors to its Disneyland Park and Disney California Adventure Park will have the option to “choose” to enter the park through a lane that’s equipped with face recognition technology. While the company says subjecting yourself to face recognition is “entirely optional,” it notes that “you may still have your image taken” if you enter the parks through lanes without face recognition systems. Disney’s face recognition, like many others, works by converting images of people’s faces into a numerical value, which can then be used to match faces in other images. The company says these numerical values will be deleted after 30 days, “except in cases where data must be maintained for legal or fraud-prevention purposes.”
Face recognition systems are widely used across the United States and the world. Law enforcement agencies frequently use the technology, but it has also proliferated into everyday aspects of life, from airports to MLB and NFL stadiums to Madison Square Garden.
The NSA Is Testing Out Anthropic’s Mythos AI Tool for Discovering Hackable Bugs
Anthropic’s Mythos Preview AI model has been described as so adept at digging up hackable bugs in software that its use has so far been carefully restricted to prevent it from falling into the hands of malicious hackers. So perhaps it would be more of a surprise if the National Security Agency was not already trying it out.
Bloomberg News and Axios reported this week that the NSA was among the agencies and companies granted early access to Mythos, which has been limited to 40 organizations so far, according to Axios. The agency has used the tool to hunt for bugs in Microsoft’s software—naturally, given that it still runs on the majority of the world’s PCs—and has been impressed with its speed and effectiveness in finding exploitable vulnerabilities, according to sources who spoke anonymously to Bloomberg. The agency’s remit, after all, includes some elements of helping the US government discover and patch security vulnerabilities in the software it uses, as well as sometimes exploiting those vulnerabilities in the NSA’s own operations.
The NSA’s testing or adoption of Anthropic’s AI tool appears to have proceeded in spite of the Department of Defense’s declared ban on Anthropic, which followed Defense secretary Pete Hegseth’s claim that the company represented a supply chain risk. Hegseth said in February, however, that the DOD will transition away from Anthropic’s tools over six months, and Anthropic has sued to prevent the ban from being enacted. Given that the NSA is part of the DOD, it’s not clear for now whether the NSA is merely using Mythos in the window before the ban goes into effect, or if the tool is powerful enough to persuade the NSA to rethink its ban—or make an exception.
19-Year-Old Alleged Member of Scattered Spider Ransomware Group Arrested
The ransomware group known as Scattered Spider has been responsible for some of the most damaging extortion-focused hacking campaigns in recent memory, including the breaches of MGM Resorts, Caesars Entertainment, and retailers like M&S and Harrods. It’s also distinguished among ransomware gangs for its membership: Often very young, English-speaking hackers based in countries who are cooperative with US law enforcement—and, therefore, tend to get arrested.
The latest alleged member of the group to be identified and charged is 19-year-old Peter Stokes, who was arrested at an airport in Finland, where he intended to board a flight to Japan. According to the Chicago Tribune, Stokes’ alleged involvement in the targeting of four Scattered Spider victim companies is described in a criminal complaint that has since been placed under seal. Stokes is reportedly accused of helping to steal millions from those unidentified victim companies, which included an online communications platform and a luxury retailer. According to the complaint, he also led a jet-set life, traveling from Dubai to Thailand to New York and appearing in one photo wearing a diamond-studded necklace that read “HACK THE PLANET.”
Medicare Database Exposes Health Care Providers’ Social Security Numbers
A Medicare database left accessible on the open internet inadvertently revealed the Social Security numbers and other personal information for health care providers around the US, the Washington Post reports. The database was linked to an online director for the Centers for Medicare and Medicaid Services (CMS), which allowed Medicare patients to check which insurance plans health care providers accept. According to the Post, the exposed sensitive data was online for “at least several weeks.” Rollout of the directory is part of an effort by the Trump administration to “create a national database of health care providers,” the Post reports, which is being overseen by Amy Gleason, the acting head of the US DOGE Service who also serves as an official at CMS.