(Credit: Getty Images)
The big security news this week was definitely the massive Canvas ransomware hack, which affected more than 9,000 schools and universities, locking students and teachers out of their learning platforms right in the middle of finals season. Instructure, the company that owns Canvas, subsequently paid ShinyHunters, the responsible party, to recover the data and restore Canvas to service. So everyone’s happy, right? Well, by paying, Instructure is essentially telling hackers that crime does, indeed, pay.
Of course, Instructure was under massive pressure to get its systems up and running after the breach, and ransomware isn’t exactly easy to recover from if you’re not prepared for it (an ounce of prevention is worth a pound of cure, after all), and its speed getting back online likely won’t stem the flow of class action lawsuits resulting from the hack. Even worse, the precedent it sets means that other companies may end up trying to pay their way out of ransomware, only to learn that more often than not, after you pay the ransom, you end up with a decryption key that doesn’t work, if the hackers don’t ghost you once they get your money.
In AI-related news this week, as security experts have predicted, hackers have been using AI to search for zero-day vulnerabilities to exploit. Luckily, Google researchers spotted the campaign and helped the vendor in question patch their software before anything could come of it. Meanwhile, Microsoft is working on its own new AI model designed to find software vulnerabilities in record time. That model has already uncovered over a dozen Windows vulnerabilities, and much like Anthropic’s Mythos, the company is keeping it close to its pocket for now.
Let’s see what else is going on in the infosec world this week.
AI Chatbots Are Giving Out People’s Real Phone Numbers
One issue with AI is that most LLMs and chatbots are trained on every scrap of data an AI company can find, whether that information is intended to be public or not. And even when the data is public, it can be unintentionally divulged to users for the wrong reasons. Eileen Guo, writing for MIT Technology Review, examines a new problem emblematic of our AI age: Chatbots are revealing people’s real phone numbers and other personally identifiable information. In some cases, unintentionally, and in other cases, without the kinds of protections that would normally come if someone went looking for a person’s contact information.
In the story, Guo speaks to people whose phone numbers were misidentified by AI as customer service or support numbers. One person whose phone number surfaced by Gemini after random people asked for help finding lawyers, locksmiths, and even product designers. Another was a developer whose phone number surfaced as a WhatsApp contact for someone looking for help with a company’s product. Many had no connection to products or services at all: in one case, a student was messing around with Gemini and managed to get the chatbot to give her the personal phone number of a lab colleague.
It’s all kind of worrisome, and even if you visit a chatbot right now and ask it for a person’s phone number, it should complain about the request and say that it won’t give out personal information. But if you poke it a little bit and reframe the question, it’s not difficult to get it to cough up those details. DeleteMe, a company that helps remove people’s personal information from the web, was cited in the story as having seen privacy requests related to AI increase by more than 400%. Of course, this also raises the question Guo mentions in her piece: What about other “public” data, such as voter registrations and court records? Will AI chatbots surface that kind of information as well, and at what point is this all considered doxxing?
Android 17 to Expand Banking Scam Call and Privacy Protections
Google has teased some features coming to Android 17 that will hopefully make dealing with scams and robocalls much easier. According to Bleeping Computer, the company plans to expand the security offered by Android’s Advanced Protection mode with new notifications for scam and spam apps, improvements to how apps handle accessibility features, and more. Additionally, Android 17 will get a new feature that automatically detects and disconnects calls from known scammers, with Google working with financial institutions to identify them, as well as robocallers spoofing their phone numbers.
Android will also get updates to Live Threat Detection, which aims to fill the gap between you installing a safe app from the Play Store and the app going rogue with later updates. Live Threat Detection is designed to help combat spyware and stalkerware by monitoring installed apps for unusual or risky behavior, such as background app launches, concealed on-screen displays, SMS message forwarding, and other malicious activity. Overall, phones running Android 17 will benefit first from updates, but Google has said it plans to extend many of those features back to Android 11.
Any App on Recent Android Versions Can Leak Traffic
OK Android users, you got the good news. Now it’s time for the bad. According to Mullvad, one of our favorite VPN providers, any app can leak traffic when a VPN is connected, and this time it’s not the VPN’s fault. The team at Mullvad and the researcher who discovered the bug both reported the issue to Google via the Android issue tracker, but Google closed it as infeasible to fix. GrapheneOS, a security-focused mobile OS based on Android, quickly patched it, so there’s that.
This isn’t the first time a bug like this has been discovered, and historically, Google hasn’t been in a rush to fix the issue. We’ll see if it gets around to fixing this one, but for its part, Mullvad says the only way to really get around it is to make sure you’re using a reliable VPN and only install apps you trust. And take our advice: Avoid free VPN apps unless they come from a legitimate provider.